diff --git a/.chainsaw.yaml b/.chainsaw.yaml new file mode 100644 index 000000000000..e7937647f305 --- /dev/null +++ b/.chainsaw.yaml @@ -0,0 +1,15 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Configuration +metadata: + name: configuration +spec: + timeouts: + assert: 90s + error: 90s + parallel: 1 + fullName: true + failFast: true + excludeTestRegex: '_.+' + forceTerminationGracePeriod: 5s + delayBeforeCleanup: 3s + template: false \ No newline at end of file diff --git a/.github/actions/setup-build-env/action.yaml b/.github/actions/setup-build-env/action.yaml index 3c45bb9f7842..5120b9646935 100644 --- a/.github/actions/setup-build-env/action.yaml +++ b/.github/actions/setup-build-env/action.yaml @@ -30,7 +30,7 @@ runs: git fetch --prune --unshallow - uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0 with: - go-version: ~1.21.3 + go-version: ~1.22.2 - uses: actions/cache@4723a57e26efda3a62cbde1812113b730952852d # v3.2.2 with: path: ~/go/pkg/mod diff --git a/.github/workflows/conformance.yaml b/.github/workflows/conformance.yaml index 28e81b40ca04..134854df3a85 100644 --- a/.github/workflows/conformance.yaml +++ b/.github/workflows/conformance.yaml @@ -513,10 +513,6 @@ jobs: - standard - custom-sigstore k8s-version: - - name: v1.25 - version: v1.25.x - - name: v1.26 - version: v1.26.x - name: v1.27 version: v1.27.x - name: v1.28 @@ -534,9 +530,9 @@ jobs: with: build-cache-key: run-conformance - name: Create kind cluster and setup Sigstore Scaffolding - uses: sigstore/scaffolding/actions/setup@d120ad89e1f5c9d4a0bbd92959c6874be2a2131d + uses: sigstore/scaffolding/actions/setup@26f31cb72ca848bb0273fcbd7a4ebf187ec4d711 with: - version: 'v0.6.8' + version: main k8s-version: ${{ matrix.k8s-version.version }} knative-version: '1.10.0' - name: Create TUF values config map @@ -571,7 +567,7 @@ jobs: TEST_IMAGE_URL=ttl.sh/${IMAGE_NAME}:1h crane copy cgr.dev/chainguard/static@$DIGEST $TEST_IMAGE_URL cosign initialize --mirror $TUF_MIRROR --root $TUF_MIRROR/root.json - COSIGN_EXPERIMENTAL=1 cosign sign --rekor-url $REKOR_URL --fulcio-url $FULCIO_URL $TEST_IMAGE_URL --identity-token `curl -s $ISSUER_URL` -y + COSIGN_EXPERIMENTAL=1 cosign sign --rekor-url $REKOR_URL --fulcio-url $FULCIO_URL $TEST_IMAGE_URL --identity-token $OIDC_TOKEN -y echo "TEST_IMAGE_URL=$TEST_IMAGE_URL" >> $GITHUB_ENV - name: Wait for kyverno ready uses: ./.github/actions/kyverno-wait-ready @@ -585,6 +581,74 @@ jobs: - name: Debug failure if: failure() uses: ./.github/actions/kyverno-logs + + chainsaw: + runs-on: ubuntu-latest + permissions: + packages: read + strategy: + fail-fast: false + matrix: + k8s-version: + - name: v1.27 + version: v1.27.13 + - name: v1.28 + version: v1.28.9 + - name: v1.29 + version: v1.29.4 + tests: + - chainsaw + needs: prepare-images + name: ${{ matrix.k8s-version.name }} - ${{ matrix.tests }} + steps: + - name: Checkout + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + # install tools + - name: Install helm + id: helm + uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0 + with: + token: ${{ secrets.GITHUB_TOKEN }} + - name: Install chainsaw + uses: kyverno/action-install-chainsaw@dd64b5d7b2b7d36fdf701d48ac8b216aa94414db # v0.2.4 + # create cluster + - name: Create kind cluster + uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0 + with: + node_image: kindest/node:${{ matrix.k8s-version.version }} + cluster_name: kind + config: ./scripts/config/kind/default.yaml + # deploy kyverno + - name: Download kyverno images archive + uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 + with: + name: kyverno.tar + - name: Load kyverno images archive in kind cluster + shell: bash + run: | + set -e + kind load image-archive kyverno.tar --name kind + - name: Install kyverno + shell: bash + run: | + set -e + export HELM=${{ steps.helm.outputs.helm-path }} + export USE_CONFIG=${{ join(matrix.config.values, ',') }} + make kind-install-kyverno + - name: Wait for kyverno ready + uses: ./.github/actions/kyverno-wait-ready + # run tests + - name: Test with Chainsaw + shell: bash + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + set -e + cd ./test/conformance/chainsaw/ && chainsaw test --config ../../../.chainsaw.yaml + # debug + - name: Debug failure + if: failure() + uses: ./.github/actions/kyverno-logs # runs conformance test suites with configuration: default: diff --git a/Makefile b/Makefile index 582e73692e4f..fe7eb50c07c8 100644 --- a/Makefile +++ b/Makefile @@ -36,7 +36,7 @@ TOOLS_DIR := $(PWD)/.tools KIND := $(TOOLS_DIR)/kind KIND_VERSION := v0.20.0 CONTROLLER_GEN := $(TOOLS_DIR)/controller-gen -CONTROLLER_GEN_VERSION := v0.12.0 +CONTROLLER_GEN_VERSION := v0.14.0 CLIENT_GEN := $(TOOLS_DIR)/client-gen LISTER_GEN := $(TOOLS_DIR)/lister-gen INFORMER_GEN := $(TOOLS_DIR)/informer-gen @@ -488,12 +488,12 @@ codegen-client-all: codegen-register codegen-defaulters codegen-applyconfigurati .PHONY: codegen-crds-kyverno codegen-crds-kyverno: $(CONTROLLER_GEN) ## Generate kyverno CRDs @echo Generate kyverno crds... >&2 - @$(CONTROLLER_GEN) crd paths=./api/kyverno/... crd:crdVersions=v1 output:dir=$(CRDS_PATH) + @$(CONTROLLER_GEN) paths=./api/kyverno/... crd:crdVersions=v1 output:dir=$(CRDS_PATH) .PHONY: codegen-crds-report codegen-crds-report: $(CONTROLLER_GEN) ## Generate policy reports CRDs @echo Generate policy reports crds... >&2 - @$(CONTROLLER_GEN) crd paths=./api/policyreport/... crd:crdVersions=v1 output:dir=$(CRDS_PATH) + @$(CONTROLLER_GEN) paths=./api/policyreport/... crd:crdVersions=v1 output:dir=$(CRDS_PATH) .PHONY: codegen-crds-cli codegen-crds-cli: $(CONTROLLER_GEN) ## Generate CLI CRDs diff --git a/api/kyverno/v1/common_types.go b/api/kyverno/v1/common_types.go index b68709c5f98e..9db9513cd00a 100644 --- a/api/kyverno/v1/common_types.go +++ b/api/kyverno/v1/common_types.go @@ -396,6 +396,11 @@ type Validation struct { // CEL allows validation checks using the Common Expression Language (https://kubernetes.io/docs/reference/using-api/cel/). // +optional CEL *CEL `json:"cel,omitempty" yaml:"cel,omitempty"` + + // AllowExistingViolations allows prexisting violating resources to continue violating a policy. + // +kubebuilder:validation:Optional + // +kubebuilder:default=true + AllowExistingViolations *bool `json:"allowExistingViolations,omitempty" yaml:"allowExistingViolations,omitempty"` } // PodSecurity applies exemptions for Kubernetes Pod Security admission diff --git a/api/kyverno/v1/rule_types.go b/api/kyverno/v1/rule_types.go index 82cc0e8850e2..60bd69cc19a2 100644 --- a/api/kyverno/v1/rule_types.go +++ b/api/kyverno/v1/rule_types.go @@ -152,6 +152,17 @@ func (r *Rule) HasValidate() bool { return !datautils.DeepEqual(r.Validation, Validation{}) } +// HasValidateAllowExistingViolations() checks for allowExisitingViolations under validate rule +func (r *Rule) HasValidateAllowExistingViolations() bool { + var allowExisitingViolations bool + if r.Validation.AllowExistingViolations == nil { + allowExisitingViolations = true + } else { + allowExisitingViolations = *r.Validation.AllowExistingViolations + } + return allowExisitingViolations +} + // HasGenerate checks for generate rule func (r *Rule) HasGenerate() bool { return !datautils.DeepEqual(r.Generation, Generation{}) diff --git a/api/kyverno/v1/zz_generated.deepcopy.go b/api/kyverno/v1/zz_generated.deepcopy.go index 68abf39380ac..555a388a13fe 100755 --- a/api/kyverno/v1/zz_generated.deepcopy.go +++ b/api/kyverno/v1/zz_generated.deepcopy.go @@ -1558,6 +1558,11 @@ func (in *Validation) DeepCopyInto(out *Validation) { *out = new(CEL) (*in).DeepCopyInto(*out) } + if in.AllowExistingViolations != nil { + in, out := &in.AllowExistingViolations, &out.AllowExistingViolations + *out = new(bool) + **out = **in + } return } diff --git a/charts/kyverno/charts/crds/templates/crds.yaml b/charts/kyverno/charts/crds/templates/crds.yaml index 1a3f1c8970c9..be9734d8773b 100644 --- a/charts/kyverno/charts/crds/templates/crds.yaml +++ b/charts/kyverno/charts/crds/templates/crds.yaml @@ -8,7 +8,7 @@ metadata: {{- with .Values.annotations }} {{- toYaml . | nindent 4 }} {{- end }} - controller-gen.kubebuilder.io/version: v0.12.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: admissionreports.kyverno.io spec: group: kyverno.io @@ -58,14 +58,19 @@ spec: description: AdmissionReport is the Schema for the AdmissionReports API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -79,25 +84,33 @@ spec: description: API version of the referent. type: string blockOwnerDeletion: - description: If true, AND if the owner has the "foregroundDeletion" - finalizer, then the owner cannot be deleted from the key-value - store until this reference is removed. See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion - for how the garbage collector interacts with this field and - enforces the foreground deletion. Defaults to false. To set - this field, a user needs "delete" permission of the owner, otherwise - 422 (Unprocessable Entity) will be returned. + description: |- + If true, AND if the owner has the "foregroundDeletion" finalizer, then + the owner cannot be deleted from the key-value store until this + reference is removed. + See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion + for how the garbage collector interacts with this field and enforces the foreground deletion. + Defaults to false. + To set this field, a user needs "delete" permission of the owner, + otherwise 422 (Unprocessable Entity) will be returned. type: boolean controller: description: If true, this reference points to the managing controller. type: boolean kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names type: string uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids' + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids type: string required: - apiVersion @@ -129,35 +142,35 @@ spec: the policy rule type: object resourceSelector: - description: SubjectSelector is an optional label selector for - checked Kubernetes resources. For example, a policy result - may apply to all pods that match a label. Either a Subject - or a SubjectSelector can be specified. If neither are provided, - the result is assumed to be for the policy report scope. + description: |- + SubjectSelector is an optional label selector for checked Kubernetes resources. + For example, a policy result may apply to all pods that match a label. + Either a Subject or a SubjectSelector can be specified. + If neither are provided, the result is assumed to be for the policy report scope. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. - If the operator is In or NotIn, the values array - must be non-empty. If the operator is Exists or - DoesNotExist, the values array must be empty. This - array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -169,11 +182,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -181,66 +193,63 @@ spec: description: Subjects is an optional reference to the checked Kubernetes resources items: - description: "ObjectReference contains enough information - to let you inspect or modify the referred object. --- New - uses of this type are discouraged because of difficulty - describing its usage when embedded in APIs. 1. Ignored fields. - \ It includes many fields which are not generally honored. - \ For instance, ResourceVersion and FieldPath are both very - rarely valid in actual usage. 2. Invalid usage help. It - is impossible to add specific help for individual usage. - \ In most embedded usages, there are particular restrictions - like, \"must refer only to types A and B\" or \"UID not - honored\" or \"name must be restricted\". Those cannot be - well described when embedded. 3. Inconsistent validation. - \ Because the usages are different, the validation rules - are different by usage, which makes it hard for users to - predict what will happen. 4. The fields are both imprecise - and overly precise. Kind is not a precise mapping to a - URL. This can produce ambiguity during interpretation and - require a REST mapping. In most cases, the dependency is - on the group,resource tuple and the version of the actual - struct is irrelevant. 5. We cannot easily change it. Because - this type is embedded in many locations, updates to this - type will affect numerous schemas. Don't make new APIs - embed an underspecified API type they do not control. \n - Instead of using this type, create a locally provided and - used type that is well-focused on your reference. For example, - ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 - ." + description: |- + ObjectReference contains enough information to let you inspect or modify the referred object. + --- + New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. + 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. + 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular + restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". + Those cannot be well described when embedded. + 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. + 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity + during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple + and the version of the actual struct is irrelevant. + 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type + will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control. + + + Instead of using this type, create a locally provided and used type that is well-focused on your reference. + For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 . properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead - of an entire object, this string should contain a valid - JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container - within a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that - triggered the event) or if no container name is specified - "spec.containers[2]" (container with index 2 in this - pod). This syntax is chosen only to have some well-defined - way of referencing a part of an object. TODO: this design - is not final and this field is subject to change in - the future.' + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + TODO: this design is not final and this field is subject to change in the future. type: string kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ type: string resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency type: string uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids type: string type: object x-kubernetes-map-type: atomic @@ -279,17 +288,18 @@ spec: description: Timestamp indicates the time the result was found properties: nanos: - description: Non-negative fractions of a second at nanosecond - resolution. Negative second values with fractions must - still have non-negative nanos values that count forward - in time. Must be from 0 to 999,999,999 inclusive. This - field may be limited in precision depending on context. + description: |- + Non-negative fractions of a second at nanosecond resolution. Negative + second values with fractions must still have non-negative nanos values + that count forward in time. Must be from 0 to 999,999,999 + inclusive. This field may be limited in precision depending on context. format: int32 type: integer seconds: - description: Represents seconds of UTC time since Unix epoch - 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z - to 9999-12-31T23:59:59Z inclusive. + description: |- + Represents seconds of UTC time since Unix epoch + 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to + 9999-12-31T23:59:59Z inclusive. format: int64 type: integer required: @@ -343,7 +353,7 @@ metadata: {{- with .Values.annotations }} {{- toYaml . | nindent 4 }} {{- end }} - controller-gen.kubebuilder.io/version: v0.12.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: backgroundscanreports.kyverno.io spec: group: kyverno.io @@ -397,14 +407,19 @@ spec: API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -433,35 +448,35 @@ spec: the policy rule type: object resourceSelector: - description: SubjectSelector is an optional label selector for - checked Kubernetes resources. For example, a policy result - may apply to all pods that match a label. Either a Subject - or a SubjectSelector can be specified. If neither are provided, - the result is assumed to be for the policy report scope. + description: |- + SubjectSelector is an optional label selector for checked Kubernetes resources. + For example, a policy result may apply to all pods that match a label. + Either a Subject or a SubjectSelector can be specified. + If neither are provided, the result is assumed to be for the policy report scope. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. - If the operator is In or NotIn, the values array - must be non-empty. If the operator is Exists or - DoesNotExist, the values array must be empty. This - array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -473,11 +488,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -485,66 +499,63 @@ spec: description: Subjects is an optional reference to the checked Kubernetes resources items: - description: "ObjectReference contains enough information - to let you inspect or modify the referred object. --- New - uses of this type are discouraged because of difficulty - describing its usage when embedded in APIs. 1. Ignored fields. - \ It includes many fields which are not generally honored. - \ For instance, ResourceVersion and FieldPath are both very - rarely valid in actual usage. 2. Invalid usage help. It - is impossible to add specific help for individual usage. - \ In most embedded usages, there are particular restrictions - like, \"must refer only to types A and B\" or \"UID not - honored\" or \"name must be restricted\". Those cannot be - well described when embedded. 3. Inconsistent validation. - \ Because the usages are different, the validation rules - are different by usage, which makes it hard for users to - predict what will happen. 4. The fields are both imprecise - and overly precise. Kind is not a precise mapping to a - URL. This can produce ambiguity during interpretation and - require a REST mapping. In most cases, the dependency is - on the group,resource tuple and the version of the actual - struct is irrelevant. 5. We cannot easily change it. Because - this type is embedded in many locations, updates to this - type will affect numerous schemas. Don't make new APIs - embed an underspecified API type they do not control. \n - Instead of using this type, create a locally provided and - used type that is well-focused on your reference. For example, - ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 - ." + description: |- + ObjectReference contains enough information to let you inspect or modify the referred object. + --- + New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. + 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. + 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular + restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". + Those cannot be well described when embedded. + 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. + 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity + during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple + and the version of the actual struct is irrelevant. + 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type + will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control. + + + Instead of using this type, create a locally provided and used type that is well-focused on your reference. + For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 . properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead - of an entire object, this string should contain a valid - JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container - within a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that - triggered the event) or if no container name is specified - "spec.containers[2]" (container with index 2 in this - pod). This syntax is chosen only to have some well-defined - way of referencing a part of an object. TODO: this design - is not final and this field is subject to change in - the future.' + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + TODO: this design is not final and this field is subject to change in the future. type: string kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ type: string resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency type: string uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids type: string type: object x-kubernetes-map-type: atomic @@ -583,17 +594,18 @@ spec: description: Timestamp indicates the time the result was found properties: nanos: - description: Non-negative fractions of a second at nanosecond - resolution. Negative second values with fractions must - still have non-negative nanos values that count forward - in time. Must be from 0 to 999,999,999 inclusive. This - field may be limited in precision depending on context. + description: |- + Non-negative fractions of a second at nanosecond resolution. Negative + second values with fractions must still have non-negative nanos values + that count forward in time. Must be from 0 to 999,999,999 + inclusive. This field may be limited in precision depending on context. format: int32 type: integer seconds: - description: Represents seconds of UTC time since Unix epoch - 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z - to 9999-12-31T23:59:59Z inclusive. + description: |- + Represents seconds of UTC time since Unix epoch + 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to + 9999-12-31T23:59:59Z inclusive. format: int64 type: integer required: @@ -645,7 +657,7 @@ metadata: {{- with .Values.annotations }} {{- toYaml . | nindent 4 }} {{- end }} - controller-gen.kubebuilder.io/version: v0.12.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: cleanuppolicies.kyverno.io spec: group: kyverno.io @@ -674,14 +686,19 @@ spec: description: CleanupPolicy defines a rule for resource cleanup. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -693,10 +710,11 @@ spec: resources which will be cleaned up. properties: all: - description: AllConditions enable variable-based conditional rule - execution. This is useful for finer control of when an rule - is applied. A condition can reference object data using JMESPath - notation. Here, all of the conditions need to pass. + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass. items: properties: key: @@ -707,11 +725,11 @@ spec: description: Message is an optional display message type: string operator: - description: 'Operator is the conditional operation to perform. - Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -729,17 +747,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, or set of values. - The values can be fixed set or can be variables declared - using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based conditional rule - execution. This is useful for finer control of when an rule - is applied. A condition can reference object data using JMESPath - notation. Here, at least one of the conditions need to pass. + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass. items: properties: key: @@ -750,11 +769,11 @@ spec: description: Message is an optional display message type: string operator: - description: 'Operator is the conditional operation to perform. - Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -772,9 +791,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, or set of values. - The values can be fixed set or can be variables declared - using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -783,13 +802,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data sources to a rule - Context. Either a ConfigMap reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the Kubernetes API - server, or other JSON web service. The data returned is stored - in the context with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data sent to the server. @@ -809,12 +829,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the JSON response returned - from the server. For example a JMESPath of "items | length(@)" - applied to the API server response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across all - namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -827,22 +847,24 @@ spec: description: Service is an API call to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded CA bundle which - will be used to validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web service URL. A typical - form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to be used in the HTTP - GET or POST request to the Kubernetes API server (e.g. - "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used by the `kubectl - get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -859,8 +881,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests to an OCI/Docker - V2 registry to fetch image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials provides credentials @@ -871,9 +894,9 @@ spec: to a registry. type: boolean providers: - description: 'Providers specifies a list of OCI Registry - names, whose authentication providers are provided. - It can be of one of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers required. @@ -886,21 +909,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets that - are provided for credentials. Secrets must live in - the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the ImageData struct returned - as a result of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference to a container - image in the registry. Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -913,13 +938,14 @@ spec: variable that can be defined inline. properties: default: - description: Default is an optional arbitrary JSON object - that the variable may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath Expression - that can be used to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON object representable @@ -929,10 +955,10 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when cleanuppolicy should not - be applied. The exclude criteria can include resource information - (e.g. kind, name, namespace, labels) and admission review request - information like the name or role. + description: |- + ExcludeResources defines when cleanuppolicy should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. properties: all: description: All allows specifying resources which will be ANDed @@ -953,11 +979,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -965,52 +990,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1022,19 +1044,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -1054,38 +1074,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1097,12 +1114,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -1117,32 +1132,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -1171,11 +1182,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -1183,52 +1193,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1240,19 +1247,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -1272,38 +1277,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1315,12 +1317,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -1335,32 +1335,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -1372,10 +1368,11 @@ spec: type: array type: object match: - description: MatchResources defines when cleanuppolicy should be applied. - The match criteria can include resource information (e.g. kind, - name, namespace, labels) and admission review request information - like the user name or role. At least one kind is required. + description: |- + MatchResources defines when cleanuppolicy should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. + At least one kind is required. properties: all: description: All allows specifying resources which will be ANDed @@ -1396,11 +1393,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -1408,52 +1404,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1465,19 +1458,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -1497,38 +1488,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1540,12 +1528,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -1560,32 +1546,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -1614,11 +1596,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -1626,52 +1607,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1683,19 +1661,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -1715,38 +1691,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1758,12 +1731,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -1778,32 +1749,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -1826,42 +1793,42 @@ spec: conditions: items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -1875,11 +1842,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -1915,14 +1883,19 @@ spec: description: CleanupPolicy defines a rule for resource cleanup. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -1934,10 +1907,11 @@ spec: resources which will be cleaned up. properties: all: - description: AllConditions enable variable-based conditional rule - execution. This is useful for finer control of when an rule - is applied. A condition can reference object data using JMESPath - notation. Here, all of the conditions need to pass. + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass. items: properties: key: @@ -1948,11 +1922,11 @@ spec: description: Message is an optional display message type: string operator: - description: 'Operator is the conditional operation to perform. - Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -1970,17 +1944,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, or set of values. - The values can be fixed set or can be variables declared - using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based conditional rule - execution. This is useful for finer control of when an rule - is applied. A condition can reference object data using JMESPath - notation. Here, at least one of the conditions need to pass. + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass. items: properties: key: @@ -1991,11 +1966,11 @@ spec: description: Message is an optional display message type: string operator: - description: 'Operator is the conditional operation to perform. - Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -2013,9 +1988,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, or set of values. - The values can be fixed set or can be variables declared - using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -2024,13 +1999,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data sources to a rule - Context. Either a ConfigMap reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the Kubernetes API - server, or other JSON web service. The data returned is stored - in the context with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data sent to the server. @@ -2050,12 +2026,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the JSON response returned - from the server. For example a JMESPath of "items | length(@)" - applied to the API server response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across all - namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -2068,22 +2044,24 @@ spec: description: Service is an API call to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded CA bundle which - will be used to validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web service URL. A typical - form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to be used in the HTTP - GET or POST request to the Kubernetes API server (e.g. - "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used by the `kubectl - get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -2100,8 +2078,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests to an OCI/Docker - V2 registry to fetch image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials provides credentials @@ -2112,9 +2091,9 @@ spec: to a registry. type: boolean providers: - description: 'Providers specifies a list of OCI Registry - names, whose authentication providers are provided. - It can be of one of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers required. @@ -2127,21 +2106,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets that - are provided for credentials. Secrets must live in - the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the ImageData struct returned - as a result of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference to a container - image in the registry. Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -2154,13 +2135,14 @@ spec: variable that can be defined inline. properties: default: - description: Default is an optional arbitrary JSON object - that the variable may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath Expression - that can be used to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON object representable @@ -2170,10 +2152,10 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when cleanuppolicy should not - be applied. The exclude criteria can include resource information - (e.g. kind, name, namespace, labels) and admission review request - information like the name or role. + description: |- + ExcludeResources defines when cleanuppolicy should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. properties: all: description: All allows specifying resources which will be ANDed @@ -2194,11 +2176,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -2206,52 +2187,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -2263,19 +2241,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -2295,38 +2271,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -2338,12 +2311,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -2358,32 +2329,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -2412,11 +2379,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -2424,52 +2390,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -2481,19 +2444,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -2513,38 +2474,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -2556,12 +2514,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -2576,32 +2532,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -2613,10 +2565,11 @@ spec: type: array type: object match: - description: MatchResources defines when cleanuppolicy should be applied. - The match criteria can include resource information (e.g. kind, - name, namespace, labels) and admission review request information - like the user name or role. At least one kind is required. + description: |- + MatchResources defines when cleanuppolicy should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. + At least one kind is required. properties: all: description: All allows specifying resources which will be ANDed @@ -2637,11 +2590,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -2649,52 +2601,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -2706,19 +2655,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -2738,38 +2685,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -2781,12 +2725,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -2801,32 +2743,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -2855,11 +2793,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -2867,52 +2804,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -2924,19 +2858,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -2956,38 +2888,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -2999,12 +2928,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -3019,32 +2946,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -3067,42 +2990,42 @@ spec: conditions: items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -3116,11 +3039,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -3153,7 +3077,7 @@ metadata: {{- with .Values.annotations }} {{- toYaml . | nindent 4 }} {{- end }} - controller-gen.kubebuilder.io/version: v0.12.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: clusteradmissionreports.kyverno.io spec: group: kyverno.io @@ -3204,14 +3128,19 @@ spec: API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -3225,25 +3154,33 @@ spec: description: API version of the referent. type: string blockOwnerDeletion: - description: If true, AND if the owner has the "foregroundDeletion" - finalizer, then the owner cannot be deleted from the key-value - store until this reference is removed. See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion - for how the garbage collector interacts with this field and - enforces the foreground deletion. Defaults to false. To set - this field, a user needs "delete" permission of the owner, otherwise - 422 (Unprocessable Entity) will be returned. + description: |- + If true, AND if the owner has the "foregroundDeletion" finalizer, then + the owner cannot be deleted from the key-value store until this + reference is removed. + See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion + for how the garbage collector interacts with this field and enforces the foreground deletion. + Defaults to false. + To set this field, a user needs "delete" permission of the owner, + otherwise 422 (Unprocessable Entity) will be returned. type: boolean controller: description: If true, this reference points to the managing controller. type: boolean kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names type: string uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids' + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids type: string required: - apiVersion @@ -3275,35 +3212,35 @@ spec: the policy rule type: object resourceSelector: - description: SubjectSelector is an optional label selector for - checked Kubernetes resources. For example, a policy result - may apply to all pods that match a label. Either a Subject - or a SubjectSelector can be specified. If neither are provided, - the result is assumed to be for the policy report scope. + description: |- + SubjectSelector is an optional label selector for checked Kubernetes resources. + For example, a policy result may apply to all pods that match a label. + Either a Subject or a SubjectSelector can be specified. + If neither are provided, the result is assumed to be for the policy report scope. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. - If the operator is In or NotIn, the values array - must be non-empty. If the operator is Exists or - DoesNotExist, the values array must be empty. This - array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -3315,11 +3252,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -3327,66 +3263,63 @@ spec: description: Subjects is an optional reference to the checked Kubernetes resources items: - description: "ObjectReference contains enough information - to let you inspect or modify the referred object. --- New - uses of this type are discouraged because of difficulty - describing its usage when embedded in APIs. 1. Ignored fields. - \ It includes many fields which are not generally honored. - \ For instance, ResourceVersion and FieldPath are both very - rarely valid in actual usage. 2. Invalid usage help. It - is impossible to add specific help for individual usage. - \ In most embedded usages, there are particular restrictions - like, \"must refer only to types A and B\" or \"UID not - honored\" or \"name must be restricted\". Those cannot be - well described when embedded. 3. Inconsistent validation. - \ Because the usages are different, the validation rules - are different by usage, which makes it hard for users to - predict what will happen. 4. The fields are both imprecise - and overly precise. Kind is not a precise mapping to a - URL. This can produce ambiguity during interpretation and - require a REST mapping. In most cases, the dependency is - on the group,resource tuple and the version of the actual - struct is irrelevant. 5. We cannot easily change it. Because - this type is embedded in many locations, updates to this - type will affect numerous schemas. Don't make new APIs - embed an underspecified API type they do not control. \n - Instead of using this type, create a locally provided and - used type that is well-focused on your reference. For example, - ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 - ." + description: |- + ObjectReference contains enough information to let you inspect or modify the referred object. + --- + New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. + 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. + 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular + restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". + Those cannot be well described when embedded. + 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. + 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity + during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple + and the version of the actual struct is irrelevant. + 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type + will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control. + + + Instead of using this type, create a locally provided and used type that is well-focused on your reference. + For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 . properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead - of an entire object, this string should contain a valid - JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container - within a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that - triggered the event) or if no container name is specified - "spec.containers[2]" (container with index 2 in this - pod). This syntax is chosen only to have some well-defined - way of referencing a part of an object. TODO: this design - is not final and this field is subject to change in - the future.' + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + TODO: this design is not final and this field is subject to change in the future. type: string kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ type: string resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency type: string uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids type: string type: object x-kubernetes-map-type: atomic @@ -3425,17 +3358,18 @@ spec: description: Timestamp indicates the time the result was found properties: nanos: - description: Non-negative fractions of a second at nanosecond - resolution. Negative second values with fractions must - still have non-negative nanos values that count forward - in time. Must be from 0 to 999,999,999 inclusive. This - field may be limited in precision depending on context. + description: |- + Non-negative fractions of a second at nanosecond resolution. Negative + second values with fractions must still have non-negative nanos values + that count forward in time. Must be from 0 to 999,999,999 + inclusive. This field may be limited in precision depending on context. format: int32 type: integer seconds: - description: Represents seconds of UTC time since Unix epoch - 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z - to 9999-12-31T23:59:59Z inclusive. + description: |- + Represents seconds of UTC time since Unix epoch + 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to + 9999-12-31T23:59:59Z inclusive. format: int64 type: integer required: @@ -3489,7 +3423,7 @@ metadata: {{- with .Values.annotations }} {{- toYaml . | nindent 4 }} {{- end }} - controller-gen.kubebuilder.io/version: v0.12.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: clusterbackgroundscanreports.kyverno.io spec: group: kyverno.io @@ -3543,14 +3477,19 @@ spec: API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -3579,35 +3518,35 @@ spec: the policy rule type: object resourceSelector: - description: SubjectSelector is an optional label selector for - checked Kubernetes resources. For example, a policy result - may apply to all pods that match a label. Either a Subject - or a SubjectSelector can be specified. If neither are provided, - the result is assumed to be for the policy report scope. + description: |- + SubjectSelector is an optional label selector for checked Kubernetes resources. + For example, a policy result may apply to all pods that match a label. + Either a Subject or a SubjectSelector can be specified. + If neither are provided, the result is assumed to be for the policy report scope. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. - If the operator is In or NotIn, the values array - must be non-empty. If the operator is Exists or - DoesNotExist, the values array must be empty. This - array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -3619,11 +3558,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -3631,66 +3569,63 @@ spec: description: Subjects is an optional reference to the checked Kubernetes resources items: - description: "ObjectReference contains enough information - to let you inspect or modify the referred object. --- New - uses of this type are discouraged because of difficulty - describing its usage when embedded in APIs. 1. Ignored fields. - \ It includes many fields which are not generally honored. - \ For instance, ResourceVersion and FieldPath are both very - rarely valid in actual usage. 2. Invalid usage help. It - is impossible to add specific help for individual usage. - \ In most embedded usages, there are particular restrictions - like, \"must refer only to types A and B\" or \"UID not - honored\" or \"name must be restricted\". Those cannot be - well described when embedded. 3. Inconsistent validation. - \ Because the usages are different, the validation rules - are different by usage, which makes it hard for users to - predict what will happen. 4. The fields are both imprecise - and overly precise. Kind is not a precise mapping to a - URL. This can produce ambiguity during interpretation and - require a REST mapping. In most cases, the dependency is - on the group,resource tuple and the version of the actual - struct is irrelevant. 5. We cannot easily change it. Because - this type is embedded in many locations, updates to this - type will affect numerous schemas. Don't make new APIs - embed an underspecified API type they do not control. \n - Instead of using this type, create a locally provided and - used type that is well-focused on your reference. For example, - ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 - ." + description: |- + ObjectReference contains enough information to let you inspect or modify the referred object. + --- + New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. + 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. + 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular + restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". + Those cannot be well described when embedded. + 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. + 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity + during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple + and the version of the actual struct is irrelevant. + 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type + will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control. + + + Instead of using this type, create a locally provided and used type that is well-focused on your reference. + For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 . properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead - of an entire object, this string should contain a valid - JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container - within a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that - triggered the event) or if no container name is specified - "spec.containers[2]" (container with index 2 in this - pod). This syntax is chosen only to have some well-defined - way of referencing a part of an object. TODO: this design - is not final and this field is subject to change in - the future.' + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + TODO: this design is not final and this field is subject to change in the future. type: string kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ type: string resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency type: string uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids type: string type: object x-kubernetes-map-type: atomic @@ -3729,17 +3664,18 @@ spec: description: Timestamp indicates the time the result was found properties: nanos: - description: Non-negative fractions of a second at nanosecond - resolution. Negative second values with fractions must - still have non-negative nanos values that count forward - in time. Must be from 0 to 999,999,999 inclusive. This - field may be limited in precision depending on context. + description: |- + Non-negative fractions of a second at nanosecond resolution. Negative + second values with fractions must still have non-negative nanos values + that count forward in time. Must be from 0 to 999,999,999 + inclusive. This field may be limited in precision depending on context. format: int32 type: integer seconds: - description: Represents seconds of UTC time since Unix epoch - 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z - to 9999-12-31T23:59:59Z inclusive. + description: |- + Represents seconds of UTC time since Unix epoch + 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to + 9999-12-31T23:59:59Z inclusive. format: int64 type: integer required: @@ -3791,7 +3727,7 @@ metadata: {{- with .Values.annotations }} {{- toYaml . | nindent 4 }} {{- end }} - controller-gen.kubebuilder.io/version: v0.12.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: clustercleanuppolicies.kyverno.io spec: group: kyverno.io @@ -3820,14 +3756,19 @@ spec: description: ClusterCleanupPolicy defines rule for resource cleanup. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -3839,10 +3780,11 @@ spec: resources which will be cleaned up. properties: all: - description: AllConditions enable variable-based conditional rule - execution. This is useful for finer control of when an rule - is applied. A condition can reference object data using JMESPath - notation. Here, all of the conditions need to pass. + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass. items: properties: key: @@ -3853,11 +3795,11 @@ spec: description: Message is an optional display message type: string operator: - description: 'Operator is the conditional operation to perform. - Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -3875,17 +3817,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, or set of values. - The values can be fixed set or can be variables declared - using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based conditional rule - execution. This is useful for finer control of when an rule - is applied. A condition can reference object data using JMESPath - notation. Here, at least one of the conditions need to pass. + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass. items: properties: key: @@ -3896,11 +3839,11 @@ spec: description: Message is an optional display message type: string operator: - description: 'Operator is the conditional operation to perform. - Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -3918,9 +3861,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, or set of values. - The values can be fixed set or can be variables declared - using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -3929,13 +3872,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data sources to a rule - Context. Either a ConfigMap reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the Kubernetes API - server, or other JSON web service. The data returned is stored - in the context with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data sent to the server. @@ -3955,12 +3899,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the JSON response returned - from the server. For example a JMESPath of "items | length(@)" - applied to the API server response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across all - namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -3973,22 +3917,24 @@ spec: description: Service is an API call to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded CA bundle which - will be used to validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web service URL. A typical - form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to be used in the HTTP - GET or POST request to the Kubernetes API server (e.g. - "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used by the `kubectl - get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -4005,8 +3951,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests to an OCI/Docker - V2 registry to fetch image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials provides credentials @@ -4017,9 +3964,9 @@ spec: to a registry. type: boolean providers: - description: 'Providers specifies a list of OCI Registry - names, whose authentication providers are provided. - It can be of one of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers required. @@ -4032,21 +3979,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets that - are provided for credentials. Secrets must live in - the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the ImageData struct returned - as a result of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference to a container - image in the registry. Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -4059,13 +4008,14 @@ spec: variable that can be defined inline. properties: default: - description: Default is an optional arbitrary JSON object - that the variable may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath Expression - that can be used to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON object representable @@ -4075,10 +4025,10 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when cleanuppolicy should not - be applied. The exclude criteria can include resource information - (e.g. kind, name, namespace, labels) and admission review request - information like the name or role. + description: |- + ExcludeResources defines when cleanuppolicy should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. properties: all: description: All allows specifying resources which will be ANDed @@ -4099,11 +4049,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -4111,52 +4060,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -4168,19 +4114,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -4200,38 +4144,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -4243,12 +4184,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -4263,32 +4202,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -4317,11 +4252,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -4329,52 +4263,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -4386,19 +4317,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -4418,38 +4347,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -4461,12 +4387,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -4481,32 +4405,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -4518,10 +4438,11 @@ spec: type: array type: object match: - description: MatchResources defines when cleanuppolicy should be applied. - The match criteria can include resource information (e.g. kind, - name, namespace, labels) and admission review request information - like the user name or role. At least one kind is required. + description: |- + MatchResources defines when cleanuppolicy should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. + At least one kind is required. properties: all: description: All allows specifying resources which will be ANDed @@ -4542,11 +4463,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -4554,52 +4474,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -4611,19 +4528,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -4643,38 +4558,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -4686,12 +4598,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -4706,32 +4616,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -4760,11 +4666,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -4772,52 +4677,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -4829,19 +4731,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -4861,38 +4761,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -4904,12 +4801,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -4924,32 +4819,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -4972,42 +4863,42 @@ spec: conditions: items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -5021,11 +4912,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -5061,14 +4953,19 @@ spec: description: ClusterCleanupPolicy defines rule for resource cleanup. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -5080,10 +4977,11 @@ spec: resources which will be cleaned up. properties: all: - description: AllConditions enable variable-based conditional rule - execution. This is useful for finer control of when an rule - is applied. A condition can reference object data using JMESPath - notation. Here, all of the conditions need to pass. + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass. items: properties: key: @@ -5094,11 +4992,11 @@ spec: description: Message is an optional display message type: string operator: - description: 'Operator is the conditional operation to perform. - Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -5116,17 +5014,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, or set of values. - The values can be fixed set or can be variables declared - using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based conditional rule - execution. This is useful for finer control of when an rule - is applied. A condition can reference object data using JMESPath - notation. Here, at least one of the conditions need to pass. + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass. items: properties: key: @@ -5137,11 +5036,11 @@ spec: description: Message is an optional display message type: string operator: - description: 'Operator is the conditional operation to perform. - Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -5159,9 +5058,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, or set of values. - The values can be fixed set or can be variables declared - using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -5170,13 +5069,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data sources to a rule - Context. Either a ConfigMap reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the Kubernetes API - server, or other JSON web service. The data returned is stored - in the context with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data sent to the server. @@ -5196,12 +5096,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the JSON response returned - from the server. For example a JMESPath of "items | length(@)" - applied to the API server response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across all - namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -5214,22 +5114,24 @@ spec: description: Service is an API call to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded CA bundle which - will be used to validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web service URL. A typical - form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to be used in the HTTP - GET or POST request to the Kubernetes API server (e.g. - "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used by the `kubectl - get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -5246,8 +5148,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests to an OCI/Docker - V2 registry to fetch image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials provides credentials @@ -5258,9 +5161,9 @@ spec: to a registry. type: boolean providers: - description: 'Providers specifies a list of OCI Registry - names, whose authentication providers are provided. - It can be of one of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers required. @@ -5273,21 +5176,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets that - are provided for credentials. Secrets must live in - the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the ImageData struct returned - as a result of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference to a container - image in the registry. Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -5300,13 +5205,14 @@ spec: variable that can be defined inline. properties: default: - description: Default is an optional arbitrary JSON object - that the variable may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath Expression - that can be used to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON object representable @@ -5316,10 +5222,10 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when cleanuppolicy should not - be applied. The exclude criteria can include resource information - (e.g. kind, name, namespace, labels) and admission review request - information like the name or role. + description: |- + ExcludeResources defines when cleanuppolicy should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. properties: all: description: All allows specifying resources which will be ANDed @@ -5340,11 +5246,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -5352,52 +5257,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -5409,19 +5311,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -5441,38 +5341,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -5484,12 +5381,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -5504,32 +5399,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -5558,11 +5449,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -5570,52 +5460,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -5627,19 +5514,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -5659,38 +5544,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -5702,12 +5584,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -5722,32 +5602,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -5759,10 +5635,11 @@ spec: type: array type: object match: - description: MatchResources defines when cleanuppolicy should be applied. - The match criteria can include resource information (e.g. kind, - name, namespace, labels) and admission review request information - like the user name or role. At least one kind is required. + description: |- + MatchResources defines when cleanuppolicy should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. + At least one kind is required. properties: all: description: All allows specifying resources which will be ANDed @@ -5783,11 +5660,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -5795,52 +5671,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -5852,19 +5725,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -5884,38 +5755,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -5927,12 +5795,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -5947,32 +5813,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -6001,11 +5863,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -6013,52 +5874,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -6070,19 +5928,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -6102,38 +5958,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -6145,12 +5998,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -6165,32 +6016,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -6213,42 +6060,42 @@ spec: conditions: items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -6262,11 +6109,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -6299,7 +6147,7 @@ metadata: {{- with .Values.annotations }} {{- toYaml . | nindent 4 }} {{- end }} - controller-gen.kubebuilder.io/version: v0.12.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: clusterpolicies.kyverno.io spec: group: kyverno.io @@ -6360,14 +6208,19 @@ spec: for matching resources. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -6376,95 +6229,99 @@ spec: properties: admission: default: true - description: Admission controls if rules are applied during admission. + description: |- + Admission controls if rules are applied during admission. Optional. Default value is "true". type: boolean applyRules: - description: ApplyRules controls how rules in a policy are applied. - Rule are processed in the order of declaration. When set to `One` - processing stops after a rule has been applied i.e. the rule matches - and results in a pass, fail, or error. When set to `All` all rules - in the policy are processed. The default is `All`. + description: |- + ApplyRules controls how rules in a policy are applied. Rule are processed in + the order of declaration. When set to `One` processing stops after a rule has + been applied i.e. the rule matches and results in a pass, fail, or error. When + set to `All` all rules in the policy are processed. The default is `All`. enum: - All - One type: string background: default: true - description: Background controls if rules are applied to existing - resources during a background scan. Optional. Default value is "true". - The value must be set to "false" if the policy rule uses variables - that are only available in the admission review request (e.g. user - name). + description: |- + Background controls if rules are applied to existing resources during a background scan. + Optional. Default value is "true". The value must be set to "false" if the policy rule + uses variables that are only available in the admission review request (e.g. user name). type: boolean failurePolicy: - description: FailurePolicy defines how unexpected policy errors and - webhook response timeout errors are handled. Rules within the same - policy share the same failure behavior. This field should not be - accessed directly, instead `GetFailurePolicy()` should be used. + description: |- + FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. + Rules within the same policy share the same failure behavior. + This field should not be accessed directly, instead `GetFailurePolicy()` should be used. Allowed values are Ignore or Fail. Defaults to Fail. enum: - Ignore - Fail type: string generateExisting: - description: GenerateExisting controls whether to trigger generate - rule in existing resources If is set to "true" generate rule will - be triggered and applied to existing matched resources. Defaults - to "false" if not specified. + description: |- + GenerateExisting controls whether to trigger generate rule in existing resources + If is set to "true" generate rule will be triggered and applied to existing matched resources. + Defaults to "false" if not specified. type: boolean generateExistingOnPolicyUpdate: description: Deprecated, use generateExisting instead type: boolean mutateExistingOnPolicyUpdate: - description: MutateExistingOnPolicyUpdate controls if a mutateExisting - policy is applied on policy events. Default value is "false". + description: |- + MutateExistingOnPolicyUpdate controls if a mutateExisting policy is applied on policy events. + Default value is "false". type: boolean rules: - description: Rules is a list of Rule instances. A Policy contains - multiple rules and each rule can validate, mutate, or generate resources. + description: |- + Rules is a list of Rule instances. A Policy contains multiple rules and + each rule can validate, mutate, or generate resources. items: - description: Rule defines a validation, mutation, or generation - control for matching resources. Each rules contains a match declaration - to select resources, and an optional exclude declaration to specify - which resources to exclude. + description: |- + Rule defines a validation, mutation, or generation control for matching resources. + Each rules contains a match declaration to select resources, and an optional exclude + declaration to specify which resources to exclude. properties: celPreconditions: - description: CELPreconditions are used to determine if a policy - rule should be applied by evaluating a set of CEL conditions. - It can only be used with the validate.cel subrule + description: |- + CELPreconditions are used to determine if a policy rule should be applied by evaluating a + set of CEL conditions. It can only be used with the validate.cel subrule items: description: MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook. properties: expression: - description: "Expression represents the expression which - will be evaluated by CEL. Must evaluate to bool. CEL - expressions have access to the contents of the AdmissionRequest - and Authorizer, organized into CEL variables: \n 'object' - - The object from the incoming request. The value is - null for DELETE requests. 'oldObject' - The existing - object. The value is null for CREATE requests. 'request' - - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). - 'authorizer' - A CEL Authorizer. May be used to perform - authorization checks for the principal (user or service - account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - 'authorizer.requestResource' - A CEL ResourceCheck constructed - from the 'authorizer' and configured with the request - resource. Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ - \n Required." + description: |- + Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. + CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: + + + 'object' - The object from the incoming request. The value is null for DELETE requests. + 'oldObject' - The existing object. The value is null for CREATE requests. + 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. + See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the + request resource. + Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ + + + Required. type: string name: - description: "Name is an identifier for this match condition, - used for strategic merging of MatchConditions, as well - as providing an identifier for logging purposes. A good - name should be descriptive of the associated expression. - Name must be a qualified name consisting of alphanumeric - characters, '-', '_' or '.', and must start and end - with an alphanumeric character (e.g. 'MyName', or 'my.name', - \ or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') - with an optional DNS subdomain prefix and '/' (e.g. - 'example.com/MyName') \n Required." + description: |- + Name is an identifier for this match condition, used for strategic merging of MatchConditions, + as well as providing an identifier for logging purposes. A good name should be descriptive of + the associated expression. + Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and + must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or + '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an + optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') + + + Required. type: string required: - expression @@ -6475,15 +6332,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data sources - to a rule Context. Either a ConfigMap reference or a APILookup - must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the Kubernetes - API server, or other JSON web service. The data returned - is stored in the context with the name for the context - entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data sent to @@ -6505,13 +6361,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the JSON response - returned from the server. For example a JMESPath - of "items | length(@)" applied to the API server - response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across - all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -6526,22 +6381,24 @@ spec: service properties: caBundle: - description: CABundle is a PEM encoded CA bundle - which will be used to validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web service URL. - A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to be used in - the HTTP GET or POST request to the Kubernetes API - server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used by the - `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -6558,8 +6415,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests to an OCI/Docker - V2 registry to fetch image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials provides credentials @@ -6570,10 +6428,9 @@ spec: access to a registry. type: boolean providers: - description: 'Providers specifies a list of OCI - Registry names, whose authentication providers - are provided. It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers @@ -6587,21 +6444,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets - that are provided for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the ImageData struct - returned as a result of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference to a container - image in the registry. Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -6614,13 +6473,14 @@ spec: variable that can be defined inline. properties: default: - description: Default is an optional arbitrary JSON - object that the variable may take if the JMESPath + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath Expression - that can be used to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON object representable @@ -6630,10 +6490,10 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when this policy rule - should not be applied. The exclude criteria can include resource - information (e.g. kind, name, namespace, labels) and admission - review request information like the name or role. + description: |- + ExcludeResources defines when this policy rule should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. properties: all: description: All allows specifying resources which will @@ -6655,11 +6515,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -6667,58 +6526,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -6731,20 +6581,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -6764,42 +6611,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -6812,12 +6652,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -6832,32 +6670,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -6888,11 +6721,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -6900,58 +6732,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -6964,20 +6787,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -6997,42 +6817,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -7045,12 +6858,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -7065,32 +6876,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -7108,20 +6914,19 @@ spec: type: string type: array resources: - description: ResourceDescription contains information about - the resource being created or modified. Requires at least - one tag to be specified when under MatchResources. Specifying - ResourceDescription directly under match is being deprecated. + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. Please specify under "any" or "all" instead. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -7129,52 +6934,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -7186,19 +6988,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -7218,38 +7018,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -7261,12 +7058,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -7281,32 +7076,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -7322,10 +7113,10 @@ spec: description: APIVersion specifies resource apiVersion. type: string clone: - description: Clone specifies the source resource used to - populate each generated resource. At most one of Data - or Clone can be specified. If neither are provided, the - generated resource will be created with default data only. + description: |- + Clone specifies the source resource used to populate each generated resource. + At most one of Data or Clone can be specified. If neither are provided, the generated + resource will be created with default data only. properties: name: description: Name specifies name of the resource. @@ -7347,34 +7138,33 @@ spec: description: Namespace specifies source resource namespace. type: string selector: - description: Selector is a label selector. Label keys - and values in `matchLabels`. wildcard characters are - not supported. + description: |- + Selector is a label selector. Label keys and values in `matchLabels`. + wildcard characters are not supported. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -7386,21 +7176,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object data: - description: Data provides the resource declaration used - to populate each generated resource. At most one of Data - or Clone must be specified. If neither are provided, the - generated resource will be created with default data only. + description: |- + Data provides the resource declaration used to populate each generated resource. + At most one of Data or Clone must be specified. If neither are provided, the generated + resource will be created with default data only. x-kubernetes-preserve-unknown-fields: true kind: description: Kind specifies resource kind. @@ -7412,12 +7200,11 @@ spec: description: Namespace specifies resource namespace. type: string synchronize: - description: Synchronize controls if generated resources - should be kept in-sync with their source resource. If - Synchronize is set to "true" changes to generated resources - will be overwritten with resource data from Data or the - resource specified in the Clone declaration. Optional. - Defaults to "false" if not specified. + description: |- + Synchronize controls if generated resources should be kept in-sync with their source resource. + If Synchronize is set to "true" changes to generated resources will be overwritten with resource + data from Data or the resource specified in the Clone declaration. + Optional. Defaults to "false" if not specified. type: boolean uid: description: UID specifies the resource uid. @@ -7428,50 +7215,47 @@ spec: items: properties: jmesPath: - description: 'JMESPath is an optional JMESPath expression - to apply to the image value. This is useful when the - extracted image begins with a prefix like ''docker://''. - The ''trim_prefix'' function may be used to trim the - prefix: trim_prefix(@, ''docker://''). Note - Image - digest mutation may not be used when applying a JMESPAth - to an image.' + description: |- + JMESPath is an optional JMESPath expression to apply to the image value. + This is useful when the extracted image begins with a prefix like 'docker://'. + The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://'). + Note - Image digest mutation may not be used when applying a JMESPAth to an image. type: string key: - description: Key is an optional name of the field within - 'path' that will be used to uniquely identify an image. + description: |- + Key is an optional name of the field within 'path' that will be used to uniquely identify an image. Note - this field MUST be unique. type: string name: - description: Name is the entry the image will be available - under 'images.' in the context. If this field - is not defined, image entries will appear under 'images.custom'. + description: |- + Name is the entry the image will be available under 'images.' in the context. + If this field is not defined, image entries will appear under 'images.custom'. type: string path: - description: Path is the path to the object containing - the image field in a custom resource. It should be - slash-separated. Each slash-separated key must be - a valid YAML key or a wildcard '*'. Wildcard keys - are expanded in case of arrays or objects. + description: |- + Path is the path to the object containing the image field in a custom resource. + It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'. + Wildcard keys are expanded in case of arrays or objects. type: string value: - description: Value is an optional name of the field - within 'path' that points to the image URI. This is - useful when a custom 'key' is also defined. + description: |- + Value is an optional name of the field within 'path' that points to the image URI. + This is useful when a custom 'key' is also defined. type: string required: - path type: object type: array - description: ImageExtractors defines a mapping from kinds to - ImageExtractorConfigs. This config is only valid for verifyImages - rules. + description: |- + ImageExtractors defines a mapping from kinds to ImageExtractorConfigs. + This config is only valid for verifyImages rules. type: object match: - description: MatchResources defines when this policy rule should - be applied. The match criteria can include resource information - (e.g. kind, name, namespace, labels) and admission review - request information like the user name or role. At least one - kind is required. + description: |- + MatchResources defines when this policy rule should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. + At least one kind is required. properties: all: description: All allows specifying resources which will @@ -7493,11 +7277,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -7505,58 +7288,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -7569,20 +7343,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -7602,42 +7373,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -7650,12 +7414,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -7670,32 +7432,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -7726,11 +7483,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -7738,58 +7494,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -7802,20 +7549,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -7835,42 +7579,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -7883,12 +7620,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -7903,32 +7638,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -7946,20 +7676,19 @@ spec: type: string type: array resources: - description: ResourceDescription contains information about - the resource being created or modified. Requires at least - one tag to be specified when under MatchResources. Specifying - ResourceDescription directly under match is being deprecated. + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. Please specify under "any" or "all" instead. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -7967,52 +7696,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -8024,19 +7750,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -8056,38 +7780,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -8099,12 +7820,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -8119,32 +7838,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -8170,15 +7885,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data @@ -8200,14 +7914,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -8222,25 +7934,24 @@ spec: JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate the server certificate. type: string url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -8258,8 +7969,8 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. properties: imageRegistryCredentials: @@ -8272,11 +7983,9 @@ spec: insecure access to a registry. type: boolean providers: - description: 'Providers specifies a - list of OCI Registry names, whose - authentication providers are provided. - It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -8290,23 +7999,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list - of secrets that are provided for credentials. + description: |- + Secrets specifies a list of secrets that are provided for credentials. Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -8319,15 +8028,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON @@ -8340,42 +8048,41 @@ spec: description: Foreach declares a nested foreach iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which the - validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string order: - description: Order defines the iteration order on - the list. Can be Ascending to iterate from first - to last element or Descending to iterate in from - last to first element. + description: |- + Order defines the iteration order on the list. + Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element. enum: - Ascending - Descending type: string patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge - patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 - JSON Patch declarations used to modify resources. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, all of the conditions need to - pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -8389,13 +8096,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -8415,20 +8120,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, at least one of the conditions - need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -8442,13 +8145,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -8468,10 +8169,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -8480,14 +8180,15 @@ spec: type: object type: array patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge patch - used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON - Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string targets: description: Targets defines the target resources to be @@ -8503,15 +8204,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data @@ -8533,14 +8233,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -8555,25 +8253,24 @@ spec: JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate the server certificate. type: string url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -8591,8 +8288,8 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. properties: imageRegistryCredentials: @@ -8605,11 +8302,9 @@ spec: insecure access to a registry. type: boolean providers: - description: 'Providers specifies a - list of OCI Registry names, whose - authentication providers are provided. - It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -8623,23 +8318,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list - of secrets that are provided for credentials. + description: |- + Secrets specifies a list of secrets that are provided for credentials. Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -8652,15 +8347,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON @@ -8679,13 +8373,12 @@ spec: description: Namespace specifies resource namespace. type: string preconditions: - description: 'Preconditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. A direct list - of conditions (without `any` or `all` statements - is supported for backwards compatibility but will - be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true uid: description: UID specifies the resource uid. @@ -8699,27 +8392,32 @@ spec: maxLength: 63 type: string preconditions: - description: 'Preconditions are used to determine if a policy - rule should be applied by evaluating a set of conditions. - The declaration can contain nested `any` or `all` statements. - A direct list of conditions (without `any` or `all` statements - is supported for backwards compatibility but will be deprecated - in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true skipBackgroundRequests: default: true - description: SkipBackgroundRequests bypasses admission requests - that are sent by the background controller. The default value - is set to "true", it must be set to "false" to apply generate - and mutateExisting rules to those requests. + description: |- + SkipBackgroundRequests bypasses admission requests that are sent by the background controller. + The default value is set to "true", it must be set to "false" to apply + generate and mutateExisting rules to those requests. type: boolean validate: description: Validation is used to validate matching resources. properties: + allowExistingViolations: + default: true + description: AllowExistingViolations allows prexisting violating + resources to continue violating a policy. + type: boolean anyPattern: - description: AnyPattern specifies list of validation patterns. - At least one of the patterns must be satisfied for the - validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true cel: description: CEL allows validation checks using the Common @@ -8734,39 +8432,45 @@ spec: an audit annotation for an API request. properties: key: - description: "key specifies the audit annotation - key. The audit annotation keys of a ValidatingAdmissionPolicy - must be unique. The key must be a qualified - name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than - 63 bytes in length. \n The key is combined with - the resource name of the ValidatingAdmissionPolicy - to construct an audit annotation key: \"{ValidatingAdmissionPolicy - name}/{key}\". \n If an admission webhook uses - the same resource name as this ValidatingAdmissionPolicy - and the same audit annotation key, the annotation - key will be identical. In this case, the first - annotation written with the key will be included - in the audit event and all subsequent annotations - with the same key will be discarded. \n Required." + description: |- + key specifies the audit annotation key. The audit annotation keys of + a ValidatingAdmissionPolicy must be unique. The key must be a qualified + name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length. + + + The key is combined with the resource name of the + ValidatingAdmissionPolicy to construct an audit annotation key: + "{ValidatingAdmissionPolicy name}/{key}". + + + If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy + and the same audit annotation key, the annotation key will be identical. + In this case, the first annotation written with the key will be included + in the audit event and all subsequent annotations with the same key + will be discarded. + + + Required. type: string valueExpression: - description: "valueExpression represents the expression - which is evaluated by CEL to produce an audit - annotation value. The expression must evaluate - to either a string or null value. If the expression - evaluates to a string, the audit annotation - is included with the string value. If the expression - evaluates to null or empty string the audit - annotation will be omitted. The valueExpression - may be no longer than 5kb in length. If the - result of the valueExpression is more than 10kb - in length, it will be truncated to 10kb. \n - If multiple ValidatingAdmissionPolicyBinding - resources match an API request, then the valueExpression - will be evaluated for each binding. All unique - values produced by the valueExpressions will - be joined together in a comma-separated list. - \n Required." + description: |- + valueExpression represents the expression which is evaluated by CEL to + produce an audit annotation value. The expression must evaluate to either + a string or null value. If the expression evaluates to a string, the + audit annotation is included with the string value. If the expression + evaluates to null or empty string the audit annotation will be omitted. + The valueExpression may be no longer than 5kb in length. + If the result of the valueExpression is more than 10kb in length, it + will be truncated to 10kb. + + + If multiple ValidatingAdmissionPolicyBinding resources match an + API request, then the valueExpression will be evaluated for + each binding. All unique values produced by the valueExpressions + will be joined together in a comma-separated list. + + + Required. type: string required: - key @@ -8782,113 +8486,99 @@ spec: properties: expression: description: "Expression represents the expression - which will be evaluated by CEL. ref: https://github.com/google/cel-spec - CEL expressions have access to the contents - of the API request/response, organized into - CEL variables as well as some other useful variables: - \n - 'object' - The object from the incoming - request. The value is null for DELETE requests. - - 'oldObject' - The existing object. The value - is null for CREATE requests. - 'request' - Attributes - of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - - 'params' - Parameter resource referred to - by the policy binding being evaluated. Only - populated if the policy has a ParamKind. - 'namespaceObject' + which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL + expressions have access to the contents of the + API request/response, organized into CEL variables + as well as some other useful variables:\n\n\n- + 'object' - The object from the incoming request. + The value is null for DELETE requests.\n- 'oldObject' + - The existing object. The value is null for + CREATE requests.\n- 'request' - Attributes of + the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- + 'params' - Parameter resource referred to by + the policy binding being evaluated. Only populated + if the policy has a ParamKind.\n- 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped - resources. - 'variables' - Map of composited + resources.\n- 'variables' - Map of composited variables, from its name to its lazily evaluated - value. For example, a variable named 'foo' can - be accessed as 'variables.foo'. - 'authorizer' + value.\n For example, a variable named 'foo' + can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) - of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - - 'authorizer.requestResource' - A CEL ResourceCheck + of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured - with the request resource. \n The `apiVersion`, + with the\n request resource.\n\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` - are always accessible from the root of the object. - No other metadata properties are accessible. - \n Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` - are accessible. Accessible property names are + are always accessible from the root of the\nobject. + No other metadata properties are accessible.\n\n\nOnly + property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` + are accessible.\nAccessible property names are escaped according to the following rules when - accessed in the expression: - '__' escapes to - '__underscores__' - '.' escapes to '__dot__' - - '-' escapes to '__dash__' - '/' escapes to - '__slash__' - Property names that exactly match + accessed in the expression:\n- '__' escapes + to '__underscores__'\n- '.' escapes to '__dot__'\n- + '-' escapes to '__dash__'\n- '/' escapes to + '__slash__'\n- Property names that exactly match a CEL RESERVED keyword escape to '__{keyword}__'. - The keywords are: \"true\", \"false\", \"null\", - \"in\", \"as\", \"break\", \"const\", \"continue\", - \"else\", \"for\", \"function\", \"if\", \"import\", - \"let\", \"loop\", \"package\", \"namespace\", - \"return\". Examples: - Expression accessing - a property named \"namespace\": {\"Expression\": - \"object.__namespace__ > 0\"} - Expression accessing - a property named \"x-prop\": {\"Expression\": - \"object.x__dash__prop > 0\"} - Expression accessing - a property named \"redact__d\": {\"Expression\": - \"object.redact__underscores__d > 0\"} \n Equality - on arrays with list type of 'set' or 'map' ignores - element order, i.e. [1, 2] == [2, 1]. Concatenation - on arrays with x-kubernetes-list-type use the - semantics of the list type: - 'set': `X + Y` - performs a union where the array positions of - all elements in `X` are preserved and non-intersecting + The keywords are:\n\t \"true\", \"false\", + \"null\", \"in\", \"as\", \"break\", \"const\", + \"continue\", \"else\", \"for\", \"function\", + \"if\",\n\t \"import\", \"let\", \"loop\", + \"package\", \"namespace\", \"return\".\nExamples:\n + \ - Expression accessing a property named \"namespace\": + {\"Expression\": \"object.__namespace__ > 0\"}\n + \ - Expression accessing a property named \"x-prop\": + {\"Expression\": \"object.x__dash__prop > 0\"}\n + \ - Expression accessing a property named \"redact__d\": + {\"Expression\": \"object.redact__underscores__d + > 0\"}\n\n\nEquality on arrays with list type + of 'set' or 'map' ignores element order, i.e. + [1, 2] == [2, 1].\nConcatenation on arrays with + x-kubernetes-list-type use the semantics of + the list type:\n - 'set': `X + Y` performs + a union where the array positions of all elements + in `X` are preserved and\n non-intersecting elements in `Y` are appended, retaining their - partial order. - 'map': `X + Y` performs a merge - where the array positions of all keys in `X` - are preserved but the values are overwritten - by values in `Y` when the key sets of `X` and - `Y` intersect. Elements in `Y` with non-intersecting - keys are appended, retaining their partial order. - Required." + partial order.\n - 'map': `X + Y` performs + a merge where the array positions of all keys + in `X` are preserved but the values\n are + overwritten by values in `Y` when the key sets + of `X` and `Y` intersect. Elements in `Y` with\n + \ non-intersecting keys are appended, retaining + their partial order.\nRequired." type: string message: - description: 'Message represents the message displayed - when validation fails. The message is required - if the Expression contains line breaks. The - message must not contain line breaks. If unset, - the message is "failed rule: {Rule}". e.g. "must - be a URL with the host matching spec.host" If - the Expression contains line breaks. Message - is required. The message must not contain line - breaks. If unset, the message is "failed Expression: - {Expression}".' + description: |- + Message represents the message displayed when validation fails. The message is required if the Expression contains + line breaks. The message must not contain line breaks. + If unset, the message is "failed rule: {Rule}". + e.g. "must be a URL with the host matching spec.host" + If the Expression contains line breaks. Message is required. + The message must not contain line breaks. + If unset, the message is "failed Expression: {Expression}". type: string messageExpression: - description: 'messageExpression declares a CEL - expression that evaluates to the validation - failure message that is returned when this rule - fails. Since messageExpression is used as a - failure message, it must evaluate to a string. - If both message and messageExpression are present - on a validation, then messageExpression will - be used if validation fails. If messageExpression - results in a runtime error, the runtime error - is logged, and the validation failure message - is produced as if the messageExpression field - were unset. If messageExpression evaluates to - an empty string, a string with only spaces, - or a string that contains line breaks, then - the validation failure message will also be - produced as if the messageExpression field were - unset, and the fact that messageExpression produced - an empty string/string with only spaces/string - with line breaks will be logged. messageExpression - has access to all the same variables as the - `expression` except for ''authorizer'' and ''authorizer.requestResource''. - Example: "object.x must be less than max ("+string(params.max)+")"' + description: |- + messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. + Since messageExpression is used as a failure message, it must evaluate to a string. + If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. + If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced + as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string + that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and + the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. + messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'. + Example: + "object.x must be less than max ("+string(params.max)+")" type: string reason: - description: 'Reason represents a machine-readable - description of why this validation failed. If - this is the first validation in the list to - fail, this reason, as well as the corresponding - HTTP response code, are used in the HTTP response - to the client. The currently supported reasons - are: "Unauthorized", "Forbidden", "Invalid", - "RequestEntityTooLarge". If not set, StatusReasonInvalid - is used in the response to the client.' + description: |- + Reason represents a machine-readable description of why this validation failed. + If this is the first validation in the list to fail, this reason, as well as the + corresponding HTTP response code, are used in the + HTTP response to the client. + The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge". + If not set, StatusReasonInvalid is used in the response to the client. type: string required: - expression @@ -8899,13 +8589,15 @@ spec: Version. properties: apiVersion: - description: APIVersion is the API group version - the resources belong to. In format of "group/version". + description: |- + APIVersion is the API group version the resources belong to. + In format of "group/version". Required. type: string kind: - description: Kind is the API kind the resources - belong to. Required. + description: |- + Kind is the API kind the resources belong to. + Required. type: string type: object x-kubernetes-map-type: atomic @@ -8913,77 +8605,82 @@ spec: description: ParamRef references a parameter resource. properties: name: - description: "`name` is the name of the resource - being referenced. \n `name` and `selector` are - mutually exclusive properties. If one is set, - the other must be unset." + description: |- + `name` is the name of the resource being referenced. + + + `name` and `selector` are mutually exclusive properties. If one is set, + the other must be unset. type: string namespace: - description: "namespace is the namespace of the - referenced resource. Allows limiting the search - for params to a specific namespace. Applies to - both `name` and `selector` fields. \n A per-namespace - parameter may be used by specifying a namespace-scoped - `paramKind` in the policy and leaving this field - empty. \n - If `paramKind` is cluster-scoped, - this field MUST be unset. Setting this field results - in a configuration error. \n - If `paramKind` - is namespace-scoped, the namespace of the object - being evaluated for admission will be used when - this field is left unset. Take care that if this - is left empty the binding must not match any cluster-scoped - resources, which will result in an error." + description: |- + namespace is the namespace of the referenced resource. Allows limiting + the search for params to a specific namespace. Applies to both `name` and + `selector` fields. + + + A per-namespace parameter may be used by specifying a namespace-scoped + `paramKind` in the policy and leaving this field empty. + + + - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this + field results in a configuration error. + + + - If `paramKind` is namespace-scoped, the namespace of the object being + evaluated for admission will be used when this field is left unset. Take + care that if this is left empty the binding must not match any cluster-scoped + resources, which will result in an error. type: string parameterNotFoundAction: - description: "`parameterNotFoundAction` controls - the behavior of the binding when the resource - exists, and name or selector is valid, but there - are no parameters matched by the binding. If the - value is set to `Allow`, then no matched parameters - will be treated as successful validation by the - binding. If set to `Deny`, then no matched parameters - will be subject to the `failurePolicy` of the - policy. \n Allowed values are `Allow` or `Deny` - Default to `Deny`" + description: |- + `parameterNotFoundAction` controls the behavior of the binding when the resource + exists, and name or selector is valid, but there are no parameters + matched by the binding. If the value is set to `Allow`, then no + matched parameters will be treated as successful validation by the binding. + If set to `Deny`, then no matched parameters will be subject to the + `failurePolicy` of the policy. + + + Allowed values are `Allow` or `Deny` + Default to `Deny` type: string selector: - description: "selector can be used to match multiple - param objects based on their labels. Supply selector: - {} to match all resources of the ParamKind. \n - If multiple params are found, they are all evaluated - with the policy expressions and the results are - ANDed together. \n One of `name` or `selector` - must be set, but `name` and `selector` are mutually - exclusive properties. If one is set, the other - must be unset." + description: |- + selector can be used to match multiple param objects based on their labels. + Supply selector: {} to match all resources of the ParamKind. + + + If multiple params are found, they are all evaluated with the policy expressions + and the results are ANDed together. + + + One of `name` or `selector` must be set, but `name` and `selector` are + mutually exclusive properties. If one is set, the other must be unset. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -8996,40 +8693,34 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object x-kubernetes-map-type: atomic variables: - description: Variables contain definitions of variables - that can be used in composition of other expressions. + description: |- + Variables contain definitions of variables that can be used in composition of other expressions. Each variable is defined as a named CEL expression. - The variables defined here will be available under - `variables` in other expressions of the policy. + The variables defined here will be available under `variables` in other expressions of the policy. items: description: Variable is the definition of a variable that is used for composition. properties: expression: - description: Expression is the expression that - will be evaluated as the value of the variable. - The CEL expression has access to the same identifiers - as the CEL expressions in Validation. + description: |- + Expression is the expression that will be evaluated as the value of the variable. + The CEL expression has access to the same identifiers as the CEL expressions in Validation. type: string name: - description: Name is the name of the variable. - The name must be a valid CEL identifier and - unique among all variables. The variable can - be accessed in other expressions through `variables` - For example, if name is "foo", the variable - will be available as `variables.foo` + description: |- + Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables. + The variable can be accessed in other expressions through `variables` + For example, if name is "foo", the variable will be available as `variables.foo` type: string required: - expression @@ -9042,11 +8733,11 @@ spec: a validation rule. properties: conditions: - description: 'Multiple conditions can be declared under - an `any` or `all` statement. A direct list of conditions - (without `any` or `all` statements) is also supported - for backwards compatibility but will be deprecated - in the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object foreach: @@ -9060,23 +8751,22 @@ spec: the specified logic. properties: anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must be satisfied - for the validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true context: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data @@ -9098,14 +8788,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -9120,25 +8808,24 @@ spec: JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate the server certificate. type: string url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -9156,8 +8843,8 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. properties: imageRegistryCredentials: @@ -9170,11 +8857,9 @@ spec: insecure access to a registry. type: boolean providers: - description: 'Providers specifies a - list of OCI Registry names, whose - authentication providers are provided. - It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -9188,23 +8873,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list - of secrets that are provided for credentials. + description: |- + Secrets specifies a list of secrets that are provided for credentials. Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -9217,15 +8902,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON @@ -9239,47 +8923,43 @@ spec: or fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct - list of conditions (without `any` or `all` statements) - is also supported for backwards compatibility + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object elementScope: - description: ElementScope specifies whether to use - the current list element as the scope for validation. - Defaults to "true" if not specified. When set to - "false", "request.object" is used as the validation - scope within the foreach block to allow referencing - other elements in the subtree. + description: |- + ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified. + When set to "false", "request.object" is used as the validation scope within the foreach + block to allow referencing other elements in the subtree. type: boolean foreach: description: Foreach declares a nested foreach iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which the - validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string pattern: description: Pattern specifies an overlay-style pattern used to check resources. x-kubernetes-preserve-unknown-fields: true preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, all of the conditions need to - pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -9293,13 +8973,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -9319,20 +8997,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, at least one of the conditions - need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -9346,13 +9022,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -9372,10 +9046,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -9397,31 +9070,25 @@ spec: items: properties: count: - description: Count specifies the required number - of entries that must match. If the count is - null, all entries must match (a logical AND). - If the count is 1, at least one entry must match - (a logical OR). If the count contains a value - N, then N must be less than or equal to the - size of entries, and at least N entries must - match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available attestors. - An attestor can be a static key, attributes - for keyless verification, or a nested attestor - declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for image - verification. Every specified key-value - pair must exist and match in the verified - payload. The payload may contain other - key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set of @@ -9442,19 +9109,14 @@ spec: to verify. type: string ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate Timestamps - (SCTs). If the value is unset, the - default behavior by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate - Timestamp (SCT) log to check for - a certificate timestamp. Default - is false. Set to true if this - was opted out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -9462,33 +9124,25 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the root - CA certificate. Optionally may - contain intermediate CA certificates, - and may contain the leaf TSA certificate - if not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use - for a custom Rekor. If set, this - will be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -9499,8 +9153,8 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: @@ -9511,19 +9165,14 @@ spec: signing. type: object ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate Timestamps - (SCTs). If the value is unset, the - default behavior by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate - Timestamp (SCT) log to check for - a certificate timestamp. Default - is false. Set to true if this - was opted out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -9531,14 +9180,10 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the root - CA certificate. Optionally may - contain intermediate CA certificates, - and may contain the leaf TSA certificate - if not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -9546,22 +9191,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use - for a custom Rekor. If set, this - will be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -9571,10 +9212,9 @@ spec: type: string type: object roots: - description: Roots is an optional set - of PEM encoded trusted root certificates. - If not provided, the system roots - are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -9587,19 +9227,14 @@ spec: public keys. properties: ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate Timestamps - (SCTs). If the value is unset, the - default behavior by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate - Timestamp (SCT) log to check for - a certificate timestamp. Default - is false. Set to true if this - was opted out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -9607,57 +9242,41 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the root - CA certificate. Optionally may - contain intermediate CA certificates, - and may contain the leaf TSA certificate - if not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI to - the public key stored in a Key Management - System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image signatures. - The keys can be directly specified - or can be a variable reference to - a key specified in a ConfigMap (see - https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster by - specifying it in the format "k8s:///". - The named Secret must specify a key - `cosign.pub` containing the public - key used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each - key is processed as a separate staticKey - entry (.attestors[*].entries.keys) - within the set of attestors and the - count is applied across the keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use - for a custom Rekor. If set, this - will be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -9691,12 +9310,9 @@ spec: type: string type: object repository: - description: Repository is an optional alternate - OCI repository to use for signatures and - attestations that match this rule. If - specified Repository will override other - OCI image repository locations for this - Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -9737,9 +9353,9 @@ spec: type: object type: array repository: - description: Repository is an optional alternate OCI - repository to use for resource bundle reference. The - repository can be overridden per Attestor or Attestation. + description: |- + Repository is an optional alternate OCI repository to use for resource bundle reference. + The repository can be overridden per Attestor or Attestation. type: string type: object message: @@ -9751,9 +9367,9 @@ spec: used to check resources. x-kubernetes-preserve-unknown-fields: true podSecurity: - description: PodSecurity applies exemptions for Kubernetes - Pod Security admission by specifying exclusions for Pod - Security Standards controls. + description: |- + PodSecurity applies exemptions for Kubernetes Pod Security admission + by specifying exclusions for Pod Security Standards controls. properties: exclude: description: Exclude specifies the Pod Security Standard @@ -9763,8 +9379,9 @@ spec: Security Standard controls to be excluded. properties: controlName: - description: 'ControlName specifies the name of - the Pod Security Standard control. See: https://kubernetes.io/docs/concepts/security/pod-security-standards/' + description: |- + ControlName specifies the name of the Pod Security Standard control. + See: https://kubernetes.io/docs/concepts/security/pod-security-standards/ enum: - HostProcess - Host Namespaces @@ -9783,13 +9400,11 @@ spec: - Running as Non-root user type: string images: - description: 'Images selects matching containers - and applies the container level PSS. Each image - is the image name consisting of the registry - address, repository, image, and tag. Empty list - matches no containers, PSS checks are applied - at the pod level only. Wildcards (''*'' and - ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' + description: |- + Images selects matching containers and applies the container level PSS. + Each image is the image name consisting of the registry address, repository, image, and tag. + Empty list matches no containers, PSS checks are applied at the pod level only. + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -9798,19 +9413,18 @@ spec: type: object type: array level: - description: Level defines the Pod Security Standard - level to be applied to workloads. Allowed values are - privileged, baseline, and restricted. + description: |- + Level defines the Pod Security Standard level to be applied to workloads. + Allowed values are privileged, baseline, and restricted. enum: - privileged - baseline - restricted type: string version: - description: Version defines the Pod Security Standard - versions that Kubernetes supports. Allowed values - are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, - v1.26, latest. Defaults to latest. + description: |- + Version defines the Pod Security Standard versions that Kubernetes supports. + Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, latest. Defaults to latest. enum: - v1.19 - v1.20 @@ -9828,10 +9442,10 @@ spec: description: VerifyImages is used to verify image signatures and mutate them to add a digest items: - description: ImageVerification validates that images that - match the specified pattern are signed with the supplied - public key. Once the image is verified it is mutated to - include the SHA digest retrieved during the registration. + description: |- + ImageVerification validates that images that match the specified pattern + are signed with the supplied public key. Once the image is verified it is + mutated to include the SHA digest retrieved during the registration. properties: additionalExtensions: additionalProperties: @@ -9845,16 +9459,15 @@ spec: instead. type: object attestations: - description: Attestations are optional checks for signed - in-toto Statements used to verify the image. See https://github.com/in-toto/attestation. - Kyverno fetches signed attestations from the OCI registry - and decodes them into a list of Statement declarations. + description: |- + Attestations are optional checks for signed in-toto Statements used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statement declarations. items: - description: Attestation are checks for signed in-toto - Statements that are used to verify the image. See - https://github.com/in-toto/attestation. Kyverno fetches - signed attestations from the OCI registry and decodes - them into a list of Statements. + description: |- + Attestation are checks for signed in-toto Statements that are used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statements. properties: attestors: description: Attestors specify the required attestors @@ -9862,31 +9475,25 @@ spec: items: properties: count: - description: Count specifies the required - number of entries that must match. If the - count is null, all entries must match (a - logical AND). If the count is 1, at least - one entry must match (a logical OR). If - the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or - a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set @@ -9907,21 +9514,14 @@ spec: used to verify. type: string ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -9929,36 +9529,25 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -9969,9 +9558,9 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless - attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: additionalProperties: @@ -9981,21 +9570,14 @@ spec: for keyless signing. type: object ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -10003,15 +9585,10 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -10019,24 +9596,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -10046,10 +9617,9 @@ spec: type: string type: object roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, - the system roots are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -10062,21 +9632,14 @@ spec: public keys. properties: ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -10084,63 +9647,41 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI - to the public key stored in a - Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable - reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -10176,37 +9717,30 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository - will override other OCI image repository - locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array type: object type: array conditions: - description: Conditions are used to verify attributes - within a Predicate. If no Conditions are specified - the attestation check is satisfied as long there - are predicates that match the predicate type. + description: |- + Conditions are used to verify attributes within a Predicate. If no Conditions are specified + the attestation check is satisfied as long there are predicates that match the predicate type. items: - description: AnyAllConditions consists of conditions - wrapped denoting a logical criteria to be fulfilled. - AnyConditions get fulfilled when at least one - of its sub-conditions passes. AllConditions - get fulfilled only when all of its sub-conditions - pass. + description: |- + AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled. + AnyConditions get fulfilled when at least one of its sub-conditions passes. + AllConditions get fulfilled only when all of its sub-conditions pass. properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -10221,14 +9755,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -10248,20 +9779,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -10276,14 +9805,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -10303,10 +9829,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -10328,29 +9853,25 @@ spec: items: properties: count: - description: Count specifies the required number - of entries that must match. If the count is null, - all entries must match (a logical AND). If the - count is 1, at least one entry must match (a logical - OR). If the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available attestors. - An attestor can be a static key, attributes for - keyless verification, or a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for image - verification. Every specified key-value - pair must exist and match in the verified - payload. The payload may contain other key-value - pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set of Attestor @@ -10371,19 +9892,14 @@ spec: to verify. type: string ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for validation - of Signed Certificate Timestamps (SCTs). - If the value is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate Timestamp - (SCT) log to check for a certificate - timestamp. Default is false. Set - to true if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is used @@ -10391,33 +9907,25 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate chain - file for the RFC3161 timestamp authority. - Must contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use for - a custom Rekor. If set, this will - be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address of @@ -10427,8 +9935,8 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: @@ -10439,19 +9947,14 @@ spec: signing. type: object ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for validation - of Signed Certificate Timestamps (SCTs). - If the value is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate Timestamp - (SCT) log to check for a certificate - timestamp. Default is false. Set - to true if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is used @@ -10459,14 +9962,10 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate chain - file for the RFC3161 timestamp authority. - Must contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -10474,22 +9973,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use for - a custom Rekor. If set, this will - be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address of @@ -10498,10 +9993,9 @@ spec: type: string type: object roots: - description: Roots is an optional set - of PEM encoded trusted root certificates. - If not provided, the system roots are - used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified identity @@ -10514,19 +10008,14 @@ spec: keys. properties: ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for validation - of Signed Certificate Timestamps (SCTs). - If the value is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate Timestamp - (SCT) log to check for a certificate - timestamp. Default is false. Set - to true if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is used @@ -10534,56 +10023,41 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate chain - file for the RFC3161 timestamp authority. - Must contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI to - the public key stored in a Key Management - System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 public - keys used to verify image signatures. - The keys can be directly specified or - can be a variable reference to a key - specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes Secret - elsewhere in the cluster by specifying - it in the format "k8s:///". - The named Secret must specify a key - `cosign.pub` containing the public key - used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each - key is processed as a separate staticKey - entry (.attestors[*].entries.keys) within - the set of attestors and the count is - applied across the keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use for - a custom Rekor. If set, this will - be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address of @@ -10616,11 +10090,9 @@ spec: type: string type: object repository: - description: Repository is an optional alternate - OCI repository to use for signatures and - attestations that match this rule. If specified - Repository will override other OCI image - repository locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -10630,13 +10102,11 @@ spec: description: Deprecated. Use ImageReferences instead. type: string imageReferences: - description: 'ImageReferences is a list of matching image - reference patterns. At least one pattern in the list - must match the image for the rule to apply. Each image - reference consists of a registry address (defaults to - docker.io), repository, image, and tag (defaults to - latest). Wildcards (''*'' and ''?'') are allowed. See: - https://kubernetes.io/docs/concepts/containers/images.' + description: |- + ImageReferences is a list of matching image reference patterns. At least one pattern in the + list must match the image for the rule to apply. Each image reference consists of a registry + address (defaults to docker.io), repository, image, and tag (defaults to latest). + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -10649,9 +10119,9 @@ spec: access to a registry. type: boolean providers: - description: 'Providers specifies a list of OCI Registry - names, whose authentication providers are provided. - It can be of one of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers required. @@ -10664,9 +10134,9 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets that - are provided for credentials. Secrets must live - in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array @@ -10679,16 +10149,15 @@ spec: type: string mutateDigest: default: true - description: MutateDigest enables replacement of image - tags with digests. Defaults to true. + description: |- + MutateDigest enables replacement of image tags with digests. + Defaults to true. type: boolean repository: - description: Repository is an optional alternate OCI repository - to use for image signatures and attestations that match - this rule. If specified Repository will override the - default OCI image repository configured for the installation. - The repository can also be overridden per Attestor or - Attestation. + description: |- + Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule. + If specified Repository will override the default OCI image repository configured for the installation. + The repository can also be overridden per Attestor or Attestation. type: string required: default: true @@ -10703,9 +10172,9 @@ spec: description: Deprecated. Use KeylessAttestor instead. type: string type: - description: Type specifies the method of signature validation. - The allowed options are Cosign and Notary. By default - Cosign is used if a type is not specified. + description: |- + Type specifies the method of signature validation. The allowed options + are Cosign and Notary. By default Cosign is used if a type is not specified. enum: - Cosign - Notary @@ -10727,23 +10196,23 @@ spec: type: object type: array schemaValidation: - description: SchemaValidation skips validation checks for policies - as well as patched resources. Optional. The default value is set - to "true", it must be set to "false" to disable the validation checks. + description: |- + SchemaValidation skips validation checks for policies as well as patched resources. + Optional. The default value is set to "true", it must be set to "false" to disable the validation checks. type: boolean useServerSideApply: - description: UseServerSideApply controls whether to use server-side - apply for generate rules If is set to "true" create & update for - generate rules will use apply instead of create/update. Defaults - to "false" if not specified. + description: |- + UseServerSideApply controls whether to use server-side apply for generate rules + If is set to "true" create & update for generate rules will use apply instead of create/update. + Defaults to "false" if not specified. type: boolean validationFailureAction: default: Audit - description: ValidationFailureAction defines if a validation policy - rule violation should block the admission review request (enforce), - or allow (audit) the admission review request and report an error - in a policy report. Optional. Allowed values are audit or enforce. - The default value is "Audit". + description: |- + ValidationFailureAction defines if a validation policy rule violation should block + the admission review request (enforce), or allow (audit) the admission review request + and report an error in a policy report. Optional. + Allowed values are audit or enforce. The default value is "Audit". enum: - audit - enforce @@ -10751,9 +10220,9 @@ spec: - Enforce type: string validationFailureActionOverrides: - description: ValidationFailureActionOverrides is a Cluster Policy - attribute that specifies ValidationFailureAction namespace-wise. - It overrides ValidationFailureAction for the specified namespaces. + description: |- + ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction + namespace-wise. It overrides ValidationFailureAction for the specified namespaces. items: properties: action: @@ -10766,34 +10235,34 @@ spec: - Enforce type: string namespaceSelector: - description: A label selector is a label query over a set of - resources. The result of matchLabels and matchExpressions - are ANDed. An empty label selector matches all objects. A - null label selector matches no objects. + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. - If the operator is In or NotIn, the values array - must be non-empty. If the operator is Exists or - DoesNotExist, the values array must be empty. This - array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -10805,11 +10274,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -10820,11 +10288,10 @@ spec: type: object type: array webhookTimeoutSeconds: - description: WebhookTimeoutSeconds specifies the maximum time in seconds - allowed to apply this policy. After the configured time expires, - the admission request may fail, or may simply ignore the policy - results, based on the failure policy. The default timeout is 10s, - the value must be between 1 and 30 seconds. + description: |- + WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. + After the configured time expires, the admission request may fail, or may simply ignore the policy results, + based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds. format: int32 type: integer type: object @@ -10838,51 +10305,49 @@ spec: description: Rules is a list of Rule instances. It contains auto generated rules added for pod controllers items: - description: Rule defines a validation, mutation, or generation - control for matching resources. Each rules contains a match - declaration to select resources, and an optional exclude declaration - to specify which resources to exclude. + description: |- + Rule defines a validation, mutation, or generation control for matching resources. + Each rules contains a match declaration to select resources, and an optional exclude + declaration to specify which resources to exclude. properties: celPreconditions: - description: CELPreconditions are used to determine if a - policy rule should be applied by evaluating a set of CEL - conditions. It can only be used with the validate.cel - subrule + description: |- + CELPreconditions are used to determine if a policy rule should be applied by evaluating a + set of CEL conditions. It can only be used with the validate.cel subrule items: description: MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook. properties: expression: - description: "Expression represents the expression - which will be evaluated by CEL. Must evaluate to - bool. CEL expressions have access to the contents - of the AdmissionRequest and Authorizer, organized - into CEL variables: \n 'object' - The object from - the incoming request. The value is null for DELETE - requests. 'oldObject' - The existing object. The - value is null for CREATE requests. 'request' - Attributes - of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). - 'authorizer' - A CEL Authorizer. May be used to - perform authorization checks for the principal (user - or service account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - 'authorizer.requestResource' - A CEL ResourceCheck - constructed from the 'authorizer' and configured - with the request resource. Documentation on CEL: - https://kubernetes.io/docs/reference/using-api/cel/ - \n Required." + description: |- + Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. + CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: + + + 'object' - The object from the incoming request. The value is null for DELETE requests. + 'oldObject' - The existing object. The value is null for CREATE requests. + 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. + See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the + request resource. + Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ + + + Required. type: string name: - description: "Name is an identifier for this match - condition, used for strategic merging of MatchConditions, - as well as providing an identifier for logging purposes. - A good name should be descriptive of the associated - expression. Name must be a qualified name consisting - of alphanumeric characters, '-', '_' or '.', and - must start and end with an alphanumeric character - (e.g. 'MyName', or 'my.name', or '123-abc', regex - used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') - with an optional DNS subdomain prefix and '/' (e.g. - 'example.com/MyName') \n Required." + description: |- + Name is an identifier for this match condition, used for strategic merging of MatchConditions, + as well as providing an identifier for logging purposes. A good name should be descriptive of + the associated expression. + Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and + must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or + '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an + optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') + + + Required. type: string required: - expression @@ -10893,15 +10358,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data sources - to a rule Context. Either a ConfigMap reference or a - APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the Kubernetes - API server, or other JSON web service. The data - returned is stored in the context with the name - for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data sent @@ -10923,13 +10387,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON Match - Expression that can be used to transform the - JSON response returned from the server. For - example a JMESPath of "items | length(@)" applied - to the API server response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across - all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -10944,23 +10407,24 @@ spec: web service properties: caBundle: - description: CABundle is a PEM encoded CA - bundle which will be used to validate the - server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web service URL. - A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to be used - in the HTTP GET or POST request to the Kubernetes - API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used - by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -10977,8 +10441,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests to an - OCI/Docker V2 registry to fetch image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials provides @@ -10990,10 +10455,9 @@ spec: insecure access to a registry. type: boolean providers: - description: 'Providers specifies a list of - OCI Registry names, whose authentication - providers are provided. It can be of one - of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers @@ -11007,23 +10471,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets - that are provided for credentials. Secrets - must live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON Match - Expression that can be used to transform the - ImageData struct returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference to - a container image in the registry. Example: - ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -11036,14 +10500,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take if the - JMESPath expression evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform the - variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON object @@ -11053,11 +10517,10 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when this policy rule - should not be applied. The exclude criteria can include - resource information (e.g. kind, name, namespace, labels) - and admission review request information like the name - or role. + description: |- + ExcludeResources defines when this policy rule should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. properties: all: description: All allows specifying resources which will @@ -11079,10 +10542,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -11091,60 +10553,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -11157,20 +10608,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -11191,44 +10639,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -11241,12 +10680,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -11261,36 +10698,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -11320,10 +10749,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -11332,60 +10760,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -11398,20 +10815,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -11432,44 +10846,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -11482,12 +10887,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -11502,36 +10905,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -11548,21 +10943,19 @@ spec: type: string type: array resources: - description: ResourceDescription contains information - about the resource being created or modified. Requires - at least one tag to be specified when under MatchResources. - Specifying ResourceDescription directly under match - is being deprecated. Please specify under "any" or - "all" instead. + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" - (matches zero or many characters) and "?" (matches - at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -11570,57 +10963,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated in - favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key and - value but does not match an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -11633,20 +11018,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -11666,42 +11048,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) - and `?` (matches one character). Wildcards allows - writing label selectors like ["storage.k8s.io/*": - "*"]. Note that using ["*" : "*"] matches any - key and value but does not match an empty label - set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -11714,12 +11089,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -11734,32 +11107,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or - a value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the - referenced subject. Defaults to "" for ServiceAccount - subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the - Authorizer should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -11775,11 +11144,10 @@ spec: description: APIVersion specifies resource apiVersion. type: string clone: - description: Clone specifies the source resource used - to populate each generated resource. At most one of - Data or Clone can be specified. If neither are provided, - the generated resource will be created with default - data only. + description: |- + Clone specifies the source resource used to populate each generated resource. + At most one of Data or Clone can be specified. If neither are provided, the generated + resource will be created with default data only. properties: name: description: Name specifies name of the resource. @@ -11803,37 +11171,33 @@ spec: namespace. type: string selector: - description: Selector is a label selector. Label - keys and values in `matchLabels`. wildcard characters - are not supported. + description: |- + Selector is a label selector. Label keys and values in `matchLabels`. + wildcard characters are not supported. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -11846,22 +11210,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object data: - description: Data provides the resource declaration - used to populate each generated resource. At most - one of Data or Clone must be specified. If neither - are provided, the generated resource will be created - with default data only. + description: |- + Data provides the resource declaration used to populate each generated resource. + At most one of Data or Clone must be specified. If neither are provided, the generated + resource will be created with default data only. x-kubernetes-preserve-unknown-fields: true kind: description: Kind specifies resource kind. @@ -11873,11 +11234,10 @@ spec: description: Namespace specifies resource namespace. type: string synchronize: - description: Synchronize controls if generated resources - should be kept in-sync with their source resource. - If Synchronize is set to "true" changes to generated - resources will be overwritten with resource data from - Data or the resource specified in the Clone declaration. + description: |- + Synchronize controls if generated resources should be kept in-sync with their source resource. + If Synchronize is set to "true" changes to generated resources will be overwritten with resource + data from Data or the resource specified in the Clone declaration. Optional. Defaults to "false" if not specified. type: boolean uid: @@ -11889,50 +11249,46 @@ spec: items: properties: jmesPath: - description: 'JMESPath is an optional JMESPath expression - to apply to the image value. This is useful when - the extracted image begins with a prefix like - ''docker://''. The ''trim_prefix'' function may - be used to trim the prefix: trim_prefix(@, ''docker://''). - Note - Image digest mutation may not be used when - applying a JMESPAth to an image.' + description: |- + JMESPath is an optional JMESPath expression to apply to the image value. + This is useful when the extracted image begins with a prefix like 'docker://'. + The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://'). + Note - Image digest mutation may not be used when applying a JMESPAth to an image. type: string key: - description: Key is an optional name of the field - within 'path' that will be used to uniquely identify - an image. Note - this field MUST be unique. + description: |- + Key is an optional name of the field within 'path' that will be used to uniquely identify an image. + Note - this field MUST be unique. type: string name: - description: Name is the entry the image will be - available under 'images.' in the context. - If this field is not defined, image entries will - appear under 'images.custom'. + description: |- + Name is the entry the image will be available under 'images.' in the context. + If this field is not defined, image entries will appear under 'images.custom'. type: string path: - description: Path is the path to the object containing - the image field in a custom resource. It should - be slash-separated. Each slash-separated key must - be a valid YAML key or a wildcard '*'. Wildcard - keys are expanded in case of arrays or objects. + description: |- + Path is the path to the object containing the image field in a custom resource. + It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'. + Wildcard keys are expanded in case of arrays or objects. type: string value: - description: Value is an optional name of the field - within 'path' that points to the image URI. This - is useful when a custom 'key' is also defined. + description: |- + Value is an optional name of the field within 'path' that points to the image URI. + This is useful when a custom 'key' is also defined. type: string required: - path type: object type: array - description: ImageExtractors defines a mapping from kinds - to ImageExtractorConfigs. This config is only valid for - verifyImages rules. + description: |- + ImageExtractors defines a mapping from kinds to ImageExtractorConfigs. + This config is only valid for verifyImages rules. type: object match: - description: MatchResources defines when this policy rule - should be applied. The match criteria can include resource - information (e.g. kind, name, namespace, labels) and admission - review request information like the user name or role. + description: |- + MatchResources defines when this policy rule should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. At least one kind is required. properties: all: @@ -11955,10 +11311,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -11967,60 +11322,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -12033,20 +11377,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -12067,44 +11408,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -12117,12 +11449,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -12137,36 +11467,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -12196,10 +11518,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -12208,60 +11529,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -12274,20 +11584,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -12308,44 +11615,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -12358,12 +11656,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -12378,36 +11674,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -12424,21 +11712,19 @@ spec: type: string type: array resources: - description: ResourceDescription contains information - about the resource being created or modified. Requires - at least one tag to be specified when under MatchResources. - Specifying ResourceDescription directly under match - is being deprecated. Please specify under "any" or - "all" instead. + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" - (matches zero or many characters) and "?" (matches - at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -12446,57 +11732,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated in - favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key and - value but does not match an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -12509,20 +11787,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -12542,42 +11817,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) - and `?` (matches one character). Wildcards allows - writing label selectors like ["storage.k8s.io/*": - "*"]. Note that using ["*" : "*"] matches any - key and value but does not match an empty label - set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -12590,12 +11858,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -12610,32 +11876,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or - a value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the - referenced subject. Defaults to "" for ServiceAccount - subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the - Authorizer should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -12662,16 +11924,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST @@ -12694,15 +11954,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -12717,25 +11974,23 @@ spec: to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web - service URL. A typical form is + description: |- + URL is the JSON web service URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string @@ -12755,9 +12010,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials @@ -12769,11 +12024,9 @@ spec: allows insecure access to a registry. type: boolean providers: - description: 'Providers specifies - a list of OCI Registry names, - whose authentication providers - are provided. It can be of one - of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -12787,25 +12040,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a - list of secrets that are provided - for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -12819,15 +12070,14 @@ spec: defined inline. properties: default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary @@ -12842,43 +12092,41 @@ spec: iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which - the validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string order: - description: Order defines the iteration order - on the list. Can be Ascending to iterate from - first to last element or Descending to iterate - in from last to first element. + description: |- + Order defines the iteration order on the list. + Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element. enum: - Ascending - Descending type: string patchStrategicMerge: - description: PatchStrategicMerge is a strategic - merge patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC - 6902 JSON Patch declarations used to modify - resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -12893,14 +12141,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -12920,20 +12165,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -12948,14 +12191,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -12975,10 +12215,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -12987,14 +12226,15 @@ spec: type: object type: array patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge - patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON - Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string targets: description: Targets defines the target resources to @@ -13010,16 +12250,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST @@ -13042,15 +12280,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -13065,25 +12300,23 @@ spec: to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web - service URL. A typical form is + description: |- + URL is the JSON web service URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string @@ -13103,9 +12336,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials @@ -13117,11 +12350,9 @@ spec: allows insecure access to a registry. type: boolean providers: - description: 'Providers specifies - a list of OCI Registry names, - whose authentication providers - are provided. It can be of one - of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -13135,25 +12366,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a - list of secrets that are provided - for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -13167,15 +12396,14 @@ spec: defined inline. properties: default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary @@ -13195,14 +12423,12 @@ spec: description: Namespace specifies resource namespace. type: string preconditions: - description: 'Preconditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. A direct list - of conditions (without `any` or `all` statements - is supported for backwards compatibility but + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/preconditions/' + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true uid: description: UID specifies the resource uid. @@ -13216,27 +12442,32 @@ spec: maxLength: 63 type: string preconditions: - description: 'Preconditions are used to determine if a policy - rule should be applied by evaluating a set of conditions. - The declaration can contain nested `any` or `all` statements. - A direct list of conditions (without `any` or `all` statements - is supported for backwards compatibility but will be deprecated - in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true skipBackgroundRequests: default: true - description: SkipBackgroundRequests bypasses admission requests - that are sent by the background controller. The default - value is set to "true", it must be set to "false" to apply + description: |- + SkipBackgroundRequests bypasses admission requests that are sent by the background controller. + The default value is set to "true", it must be set to "false" to apply generate and mutateExisting rules to those requests. type: boolean validate: description: Validation is used to validate matching resources. properties: + allowExistingViolations: + default: true + description: AllowExistingViolations allows prexisting + violating resources to continue violating a policy. + type: boolean anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must be satisfied - for the validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true cel: description: CEL allows validation checks using the @@ -13251,41 +12482,45 @@ spec: produce an audit annotation for an API request. properties: key: - description: "key specifies the audit annotation - key. The audit annotation keys of a ValidatingAdmissionPolicy - must be unique. The key must be a qualified - name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more - than 63 bytes in length. \n The key is combined - with the resource name of the ValidatingAdmissionPolicy - to construct an audit annotation key: \"{ValidatingAdmissionPolicy - name}/{key}\". \n If an admission webhook - uses the same resource name as this ValidatingAdmissionPolicy - and the same audit annotation key, the annotation - key will be identical. In this case, the - first annotation written with the key will - be included in the audit event and all subsequent - annotations with the same key will be discarded. - \n Required." + description: |- + key specifies the audit annotation key. The audit annotation keys of + a ValidatingAdmissionPolicy must be unique. The key must be a qualified + name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length. + + + The key is combined with the resource name of the + ValidatingAdmissionPolicy to construct an audit annotation key: + "{ValidatingAdmissionPolicy name}/{key}". + + + If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy + and the same audit annotation key, the annotation key will be identical. + In this case, the first annotation written with the key will be included + in the audit event and all subsequent annotations with the same key + will be discarded. + + + Required. type: string valueExpression: - description: "valueExpression represents the - expression which is evaluated by CEL to - produce an audit annotation value. The expression - must evaluate to either a string or null - value. If the expression evaluates to a - string, the audit annotation is included - with the string value. If the expression - evaluates to null or empty string the audit - annotation will be omitted. The valueExpression - may be no longer than 5kb in length. If - the result of the valueExpression is more - than 10kb in length, it will be truncated - to 10kb. \n If multiple ValidatingAdmissionPolicyBinding - resources match an API request, then the - valueExpression will be evaluated for each - binding. All unique values produced by the - valueExpressions will be joined together - in a comma-separated list. \n Required." + description: |- + valueExpression represents the expression which is evaluated by CEL to + produce an audit annotation value. The expression must evaluate to either + a string or null value. If the expression evaluates to a string, the + audit annotation is included with the string value. If the expression + evaluates to null or empty string the audit annotation will be omitted. + The valueExpression may be no longer than 5kb in length. + If the result of the valueExpression is more than 10kb in length, it + will be truncated to 10kb. + + + If multiple ValidatingAdmissionPolicyBinding resources match an + API request, then the valueExpression will be evaluated for + each binding. All unique values produced by the valueExpressions + will be joined together in a comma-separated list. + + + Required. type: string required: - key @@ -13301,124 +12536,104 @@ spec: properties: expression: description: "Expression represents the expression - which will be evaluated by CEL. ref: https://github.com/google/cel-spec - CEL expressions have access to the contents + which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL + expressions have access to the contents of the API request/response, organized into CEL variables as well as some other useful - variables: \n - 'object' - The object from - the incoming request. The value is null - for DELETE requests. - 'oldObject' - The - existing object. The value is null for CREATE - requests. - 'request' - Attributes of the - API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - - 'params' - Parameter resource referred - to by the policy binding being evaluated. - Only populated if the policy has a ParamKind. - - 'namespaceObject' - The namespace object + variables:\n\n\n- 'object' - The object + from the incoming request. The value is + null for DELETE requests.\n- 'oldObject' + - The existing object. The value is null + for CREATE requests.\n- 'request' - Attributes + of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- + 'params' - Parameter resource referred to + by the policy binding being evaluated. Only + populated if the policy has a ParamKind.\n- + 'namespaceObject' - The namespace object that the incoming object belongs to. The - value is null for cluster-scoped resources. - - 'variables' - Map of composited variables, - from its name to its lazily evaluated value. - For example, a variable named 'foo' can - be accessed as 'variables.foo'. - 'authorizer' + value is null for cluster-scoped resources.\n- + 'variables' - Map of composited variables, + from its name to its lazily evaluated value.\n + \ For example, a variable named 'foo' can + be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user - or service account) of the request. See - https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - - 'authorizer.requestResource' - A CEL ResourceCheck + or service account) of the request.\n See + https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured - with the request resource. \n The `apiVersion`, + with the\n request resource.\n\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` - are always accessible from the root of the - object. No other metadata properties are - accessible. \n Only property names of the - form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are - accessible. Accessible property names are - escaped according to the following rules - when accessed in the expression: - '__' - escapes to '__underscores__' - '.' escapes - to '__dot__' - '-' escapes to '__dash__' - - '/' escapes to '__slash__' - Property - names that exactly match a CEL RESERVED - keyword escape to '__{keyword}__'. The keywords - are: \"true\", \"false\", \"null\", \"in\", - \"as\", \"break\", \"const\", \"continue\", - \"else\", \"for\", \"function\", \"if\", - \"import\", \"let\", \"loop\", \"package\", - \"namespace\", \"return\". Examples: - Expression - accessing a property named \"namespace\": - {\"Expression\": \"object.__namespace__ - > 0\"} - Expression accessing a property + are always accessible from the root of the\nobject. + No other metadata properties are accessible.\n\n\nOnly + property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` + are accessible.\nAccessible property names + are escaped according to the following rules + when accessed in the expression:\n- '__' + escapes to '__underscores__'\n- '.' escapes + to '__dot__'\n- '-' escapes to '__dash__'\n- + '/' escapes to '__slash__'\n- Property names + that exactly match a CEL RESERVED keyword + escape to '__{keyword}__'. The keywords + are:\n\t \"true\", \"false\", \"null\", + \"in\", \"as\", \"break\", \"const\", \"continue\", + \"else\", \"for\", \"function\", \"if\",\n\t + \ \"import\", \"let\", \"loop\", \"package\", + \"namespace\", \"return\".\nExamples:\n + \ - Expression accessing a property named + \"namespace\": {\"Expression\": \"object.__namespace__ + > 0\"}\n - Expression accessing a property named \"x-prop\": {\"Expression\": \"object.x__dash__prop - > 0\"} - Expression accessing a property + > 0\"}\n - Expression accessing a property named \"redact__d\": {\"Expression\": \"object.redact__underscores__d - > 0\"} \n Equality on arrays with list type - of 'set' or 'map' ignores element order, - i.e. [1, 2] == [2, 1]. Concatenation on + > 0\"}\n\n\nEquality on arrays with list + type of 'set' or 'map' ignores element order, + i.e. [1, 2] == [2, 1].\nConcatenation on arrays with x-kubernetes-list-type use the - semantics of the list type: - 'set': `X - + Y` performs a union where the array positions - of all elements in `X` are preserved and - non-intersecting elements in `Y` are appended, - retaining their partial order. - 'map': - `X + Y` performs a merge where the array - positions of all keys in `X` are preserved - but the values are overwritten by values - in `Y` when the key sets of `X` and `Y` - intersect. Elements in `Y` with non-intersecting - keys are appended, retaining their partial - order. Required." + semantics of the list type:\n - 'set': + `X + Y` performs a union where the array + positions of all elements in `X` are preserved + and\n non-intersecting elements in `Y` + are appended, retaining their partial order.\n + \ - 'map': `X + Y` performs a merge where + the array positions of all keys in `X` are + preserved but the values\n are overwritten + by values in `Y` when the key sets of `X` + and `Y` intersect. Elements in `Y` with\n + \ non-intersecting keys are appended, + retaining their partial order.\nRequired." type: string message: - description: 'Message represents the message - displayed when validation fails. The message - is required if the Expression contains line - breaks. The message must not contain line - breaks. If unset, the message is "failed - rule: {Rule}". e.g. "must be a URL with - the host matching spec.host" If the Expression - contains line breaks. Message is required. + description: |- + Message represents the message displayed when validation fails. The message is required if the Expression contains + line breaks. The message must not contain line breaks. + If unset, the message is "failed rule: {Rule}". + e.g. "must be a URL with the host matching spec.host" + If the Expression contains line breaks. Message is required. The message must not contain line breaks. - If unset, the message is "failed Expression: - {Expression}".' + If unset, the message is "failed Expression: {Expression}". type: string messageExpression: - description: 'messageExpression declares a - CEL expression that evaluates to the validation - failure message that is returned when this - rule fails. Since messageExpression is used - as a failure message, it must evaluate to - a string. If both message and messageExpression - are present on a validation, then messageExpression - will be used if validation fails. If messageExpression - results in a runtime error, the runtime - error is logged, and the validation failure - message is produced as if the messageExpression - field were unset. If messageExpression evaluates - to an empty string, a string with only spaces, - or a string that contains line breaks, then - the validation failure message will also - be produced as if the messageExpression - field were unset, and the fact that messageExpression - produced an empty string/string with only - spaces/string with line breaks will be logged. - messageExpression has access to all the - same variables as the `expression` except - for ''authorizer'' and ''authorizer.requestResource''. - Example: "object.x must be less than max - ("+string(params.max)+")"' + description: |- + messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. + Since messageExpression is used as a failure message, it must evaluate to a string. + If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. + If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced + as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string + that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and + the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. + messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'. + Example: + "object.x must be less than max ("+string(params.max)+")" type: string reason: - description: 'Reason represents a machine-readable - description of why this validation failed. - If this is the first validation in the list - to fail, this reason, as well as the corresponding - HTTP response code, are used in the HTTP - response to the client. The currently supported - reasons are: "Unauthorized", "Forbidden", - "Invalid", "RequestEntityTooLarge". If not - set, StatusReasonInvalid is used in the - response to the client.' + description: |- + Reason represents a machine-readable description of why this validation failed. + If this is the first validation in the list to fail, this reason, as well as the + corresponding HTTP response code, are used in the + HTTP response to the client. + The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge". + If not set, StatusReasonInvalid is used in the response to the client. type: string required: - expression @@ -13429,13 +12644,15 @@ spec: and Version. properties: apiVersion: - description: APIVersion is the API group version - the resources belong to. In format of "group/version". + description: |- + APIVersion is the API group version the resources belong to. + In format of "group/version". Required. type: string kind: - description: Kind is the API kind the resources - belong to. Required. + description: |- + Kind is the API kind the resources belong to. + Required. type: string type: object x-kubernetes-map-type: atomic @@ -13443,82 +12660,83 @@ spec: description: ParamRef references a parameter resource. properties: name: - description: "`name` is the name of the resource - being referenced. \n `name` and `selector` - are mutually exclusive properties. If one - is set, the other must be unset." + description: |- + `name` is the name of the resource being referenced. + + + `name` and `selector` are mutually exclusive properties. If one is set, + the other must be unset. type: string namespace: - description: "namespace is the namespace of - the referenced resource. Allows limiting the - search for params to a specific namespace. - Applies to both `name` and `selector` fields. - \n A per-namespace parameter may be used by - specifying a namespace-scoped `paramKind` - in the policy and leaving this field empty. - \n - If `paramKind` is cluster-scoped, this - field MUST be unset. Setting this field results - in a configuration error. \n - If `paramKind` - is namespace-scoped, the namespace of the - object being evaluated for admission will - be used when this field is left unset. Take - care that if this is left empty the binding - must not match any cluster-scoped resources, - which will result in an error." + description: |- + namespace is the namespace of the referenced resource. Allows limiting + the search for params to a specific namespace. Applies to both `name` and + `selector` fields. + + + A per-namespace parameter may be used by specifying a namespace-scoped + `paramKind` in the policy and leaving this field empty. + + + - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this + field results in a configuration error. + + + - If `paramKind` is namespace-scoped, the namespace of the object being + evaluated for admission will be used when this field is left unset. Take + care that if this is left empty the binding must not match any cluster-scoped + resources, which will result in an error. type: string parameterNotFoundAction: - description: "`parameterNotFoundAction` controls - the behavior of the binding when the resource - exists, and name or selector is valid, but - there are no parameters matched by the binding. - If the value is set to `Allow`, then no matched - parameters will be treated as successful validation - by the binding. If set to `Deny`, then no - matched parameters will be subject to the - `failurePolicy` of the policy. \n Allowed - values are `Allow` or `Deny` Default to `Deny`" + description: |- + `parameterNotFoundAction` controls the behavior of the binding when the resource + exists, and name or selector is valid, but there are no parameters + matched by the binding. If the value is set to `Allow`, then no + matched parameters will be treated as successful validation by the binding. + If set to `Deny`, then no matched parameters will be subject to the + `failurePolicy` of the policy. + + + Allowed values are `Allow` or `Deny` + Default to `Deny` type: string selector: - description: "selector can be used to match - multiple param objects based on their labels. - Supply selector: {} to match all resources - of the ParamKind. \n If multiple params are - found, they are all evaluated with the policy - expressions and the results are ANDed together. - \n One of `name` or `selector` must be set, - but `name` and `selector` are mutually exclusive - properties. If one is set, the other must - be unset." + description: |- + selector can be used to match multiple param objects based on their labels. + Supply selector: {} to match all resources of the ParamKind. + + + If multiple params are found, they are all evaluated with the policy expressions + and the results are ANDed together. + + + One of `name` or `selector` must be set, but `name` and `selector` are + mutually exclusive properties. If one is set, the other must be unset. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -13530,41 +12748,34 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object x-kubernetes-map-type: atomic variables: - description: Variables contain definitions of variables - that can be used in composition of other expressions. + description: |- + Variables contain definitions of variables that can be used in composition of other expressions. Each variable is defined as a named CEL expression. - The variables defined here will be available under - `variables` in other expressions of the policy. + The variables defined here will be available under `variables` in other expressions of the policy. items: description: Variable is the definition of a variable that is used for composition. properties: expression: - description: Expression is the expression - that will be evaluated as the value of the - variable. The CEL expression has access - to the same identifiers as the CEL expressions - in Validation. + description: |- + Expression is the expression that will be evaluated as the value of the variable. + The CEL expression has access to the same identifiers as the CEL expressions in Validation. type: string name: - description: Name is the name of the variable. - The name must be a valid CEL identifier - and unique among all variables. The variable - can be accessed in other expressions through - `variables` For example, if name is "foo", - the variable will be available as `variables.foo` + description: |- + Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables. + The variable can be accessed in other expressions through `variables` + For example, if name is "foo", the variable will be available as `variables.foo` type: string required: - expression @@ -13577,12 +12788,11 @@ spec: fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct list - of conditions (without `any` or `all` statements) - is also supported for backwards compatibility + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object foreach: @@ -13597,24 +12807,22 @@ spec: apply the specified logic. properties: anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must - be satisfied for the validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true context: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST @@ -13637,15 +12845,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -13660,25 +12865,23 @@ spec: to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web - service URL. A typical form is + description: |- + URL is the JSON web service URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string @@ -13698,9 +12901,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials @@ -13712,11 +12915,9 @@ spec: allows insecure access to a registry. type: boolean providers: - description: 'Providers specifies - a list of OCI Registry names, - whose authentication providers - are provided. It can be of one - of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -13730,25 +12931,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a - list of secrets that are provided - for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -13762,15 +12961,14 @@ spec: defined inline. properties: default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary @@ -13785,48 +12983,44 @@ spec: or fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct - list of conditions (without `any` or `all` - statements) is also supported for backwards - compatibility but will be deprecated in - the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object elementScope: - description: ElementScope specifies whether to - use the current list element as the scope for - validation. Defaults to "true" if not specified. - When set to "false", "request.object" is used - as the validation scope within the foreach block - to allow referencing other elements in the subtree. + description: |- + ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified. + When set to "false", "request.object" is used as the validation scope within the foreach + block to allow referencing other elements in the subtree. type: boolean foreach: description: Foreach declares a nested foreach iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which - the validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string pattern: description: Pattern specifies an overlay-style pattern used to check resources. x-kubernetes-preserve-unknown-fields: true preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -13841,14 +13035,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -13868,20 +13059,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -13896,14 +13085,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -13923,10 +13109,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -13949,31 +13134,25 @@ spec: items: properties: count: - description: Count specifies the required - number of entries that must match. If the - count is null, all entries must match (a - logical AND). If the count is 1, at least - one entry must match (a logical OR). If - the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or - a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set @@ -13994,21 +13173,14 @@ spec: used to verify. type: string ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -14016,36 +13188,25 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -14056,9 +13217,9 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless - attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: additionalProperties: @@ -14068,21 +13229,14 @@ spec: for keyless signing. type: object ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -14090,15 +13244,10 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -14106,24 +13255,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -14133,10 +13276,9 @@ spec: type: string type: object roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, - the system roots are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -14149,21 +13291,14 @@ spec: public keys. properties: ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -14171,63 +13306,41 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI - to the public key stored in a - Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable - reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -14263,12 +13376,9 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository - will override other OCI image repository - locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -14309,10 +13419,9 @@ spec: type: object type: array repository: - description: Repository is an optional alternate - OCI repository to use for resource bundle reference. - The repository can be overridden per Attestor - or Attestation. + description: |- + Repository is an optional alternate OCI repository to use for resource bundle reference. + The repository can be overridden per Attestor or Attestation. type: string type: object message: @@ -14324,9 +13433,9 @@ spec: used to check resources. x-kubernetes-preserve-unknown-fields: true podSecurity: - description: PodSecurity applies exemptions for Kubernetes - Pod Security admission by specifying exclusions for - Pod Security Standards controls. + description: |- + PodSecurity applies exemptions for Kubernetes Pod Security admission + by specifying exclusions for Pod Security Standards controls. properties: exclude: description: Exclude specifies the Pod Security @@ -14336,9 +13445,9 @@ spec: Pod Security Standard controls to be excluded. properties: controlName: - description: 'ControlName specifies the name - of the Pod Security Standard control. See: - https://kubernetes.io/docs/concepts/security/pod-security-standards/' + description: |- + ControlName specifies the name of the Pod Security Standard control. + See: https://kubernetes.io/docs/concepts/security/pod-security-standards/ enum: - HostProcess - Host Namespaces @@ -14357,14 +13466,11 @@ spec: - Running as Non-root user type: string images: - description: 'Images selects matching containers - and applies the container level PSS. Each - image is the image name consisting of the - registry address, repository, image, and - tag. Empty list matches no containers, PSS - checks are applied at the pod level only. - Wildcards (''*'' and ''?'') are allowed. - See: https://kubernetes.io/docs/concepts/containers/images.' + description: |- + Images selects matching containers and applies the container level PSS. + Each image is the image name consisting of the registry address, repository, image, and tag. + Empty list matches no containers, PSS checks are applied at the pod level only. + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -14373,19 +13479,18 @@ spec: type: object type: array level: - description: Level defines the Pod Security Standard - level to be applied to workloads. Allowed values - are privileged, baseline, and restricted. + description: |- + Level defines the Pod Security Standard level to be applied to workloads. + Allowed values are privileged, baseline, and restricted. enum: - privileged - baseline - restricted type: string version: - description: Version defines the Pod Security Standard - versions that Kubernetes supports. Allowed values - are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, - v1.25, v1.26, latest. Defaults to latest. + description: |- + Version defines the Pod Security Standard versions that Kubernetes supports. + Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, latest. Defaults to latest. enum: - v1.19 - v1.20 @@ -14403,10 +13508,10 @@ spec: description: VerifyImages is used to verify image signatures and mutate them to add a digest items: - description: ImageVerification validates that images that - match the specified pattern are signed with the supplied - public key. Once the image is verified it is mutated - to include the SHA digest retrieved during the registration. + description: |- + ImageVerification validates that images that match the specified pattern + are signed with the supplied public key. Once the image is verified it is + mutated to include the SHA digest retrieved during the registration. properties: additionalExtensions: additionalProperties: @@ -14420,17 +13525,15 @@ spec: instead. type: object attestations: - description: Attestations are optional checks for - signed in-toto Statements used to verify the image. - See https://github.com/in-toto/attestation. Kyverno - fetches signed attestations from the OCI registry - and decodes them into a list of Statement declarations. + description: |- + Attestations are optional checks for signed in-toto Statements used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statement declarations. items: - description: Attestation are checks for signed in-toto - Statements that are used to verify the image. - See https://github.com/in-toto/attestation. Kyverno - fetches signed attestations from the OCI registry - and decodes them into a list of Statements. + description: |- + Attestation are checks for signed in-toto Statements that are used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statements. properties: attestors: description: Attestors specify the required @@ -14438,33 +13541,25 @@ spec: items: properties: count: - description: Count specifies the required - number of entries that must match. If - the count is null, all entries must - match (a logical AND). If the count - is 1, at least one entry must match - (a logical OR). If the count contains - a value N, then N must be less than - or equal to the size of entries, and - at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static - key, attributes for keyless verification, - or a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used - for image verification. Every - specified key-value pair must - exist and match in the verified - payload. The payload may contain - other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested @@ -14485,23 +13580,14 @@ spec: certificates used to verify. type: string ctlog: - description: CTLog (certificate - timestamp log) provides a - configuration for validation - of Signed Certificate Timestamps - (SCTs). If the value is unset, - the default behavior by Cosign - is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp - (SCT) log to check for - a certificate timestamp. - Default is false. Set - to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if @@ -14510,27 +13596,16 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, - if set, is the PEM-encoded - certificate chain file - for the RFC3161 timestamp - authority. Must contain - the root CA certificate. - Optionally may contain - intermediate CA certificates, - and may contain the leaf - TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If an empty object is provided - the public instance of Rekor - (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog @@ -14538,13 +13613,9 @@ spec: verification. type: boolean pubkey: - description: RekorPubKey - is an optional PEM-encoded - public key to use for - a custom Rekor. If set, - this will be used to validate - transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the @@ -14555,9 +13626,9 @@ spec: type: object type: object keyless: - description: Keyless is a set of - attribute used to verify a Sigstore - keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: additionalProperties: @@ -14567,23 +13638,14 @@ spec: used for keyless signing. type: object ctlog: - description: CTLog (certificate - timestamp log) provides a - configuration for validation - of Signed Certificate Timestamps - (SCTs). If the value is unset, - the default behavior by Cosign - is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp - (SCT) log to check for - a certificate timestamp. - Default is false. Set - to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if @@ -14592,17 +13654,10 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, - if set, is the PEM-encoded - certificate chain file - for the RFC3161 timestamp - authority. Must contain - the root CA certificate. - Optionally may contain - intermediate CA certificates, - and may contain the leaf - TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -14610,13 +13665,9 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If an empty object is provided - the public instance of Rekor - (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog @@ -14624,13 +13675,9 @@ spec: verification. type: boolean pubkey: - description: RekorPubKey - is an optional PEM-encoded - public key to use for - a custom Rekor. If set, - this will be used to validate - transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the @@ -14640,11 +13687,9 @@ spec: type: string type: object roots: - description: Roots is an optional - set of PEM encoded trusted - root certificates. If not - provided, the system roots - are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the @@ -14658,23 +13703,14 @@ spec: or more public keys. properties: ctlog: - description: CTLog (certificate - timestamp log) provides a - configuration for validation - of Signed Certificate Timestamps - (SCTs). If the value is unset, - the default behavior by Cosign - is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp - (SCT) log to check for - a certificate timestamp. - Default is false. Set - to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if @@ -14683,56 +13719,32 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, - if set, is the PEM-encoded - certificate chain file - for the RFC3161 timestamp - authority. Must contain - the root CA certificate. - Optionally may contain - intermediate CA certificates, - and may contain the leaf - TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the - URI to the public key stored - in a Key Management System. - See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of - X.509 public keys used to - verify image signatures. The - keys can be directly specified - or can be a variable reference - to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a - separate staticKey entry (.attestors[*].entries.keys) - within the set of attestors - and the count is applied across - the keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If an empty object is provided - the public instance of Rekor - (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog @@ -14740,13 +13752,9 @@ spec: verification. type: boolean pubkey: - description: RekorPubKey - is an optional PEM-encoded - public key to use for - a custom Rekor. If set, - this will be used to validate - transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the @@ -14783,40 +13791,30 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use - for signatures and attestations - that match this rule. If specified - Repository will override other - OCI image repository locations - for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array type: object type: array conditions: - description: Conditions are used to verify attributes - within a Predicate. If no Conditions are specified - the attestation check is satisfied as long - there are predicates that match the predicate - type. + description: |- + Conditions are used to verify attributes within a Predicate. If no Conditions are specified + the attestation check is satisfied as long there are predicates that match the predicate type. items: - description: AnyAllConditions consists of - conditions wrapped denoting a logical criteria - to be fulfilled. AnyConditions get fulfilled - when at least one of its sub-conditions - passes. AllConditions get fulfilled only - when all of its sub-conditions pass. + description: |- + AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled. + AnyConditions get fulfilled when at least one of its sub-conditions passes. + AllConditions get fulfilled only when all of its sub-conditions pass. properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is - useful for finer control of when an - rule is applied. A condition can reference - object data using JMESPath notation. - Here, all of the conditions need to - pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -14831,14 +13829,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -14858,21 +13853,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is - useful for finer control of when an - rule is applied. A condition can reference - object data using JMESPath notation. - Here, at least one of the conditions - need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -14887,14 +13879,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -14914,10 +13903,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -14939,31 +13927,25 @@ spec: items: properties: count: - description: Count specifies the required number - of entries that must match. If the count is - null, all entries must match (a logical AND). - If the count is 1, at least one entry must - match (a logical OR). If the count contains - a value N, then N must be less than or equal - to the size of entries, and at least N entries - must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or a - nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set @@ -14984,21 +13966,14 @@ spec: used to verify. type: string ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior by - Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed Certificate - Timestamp (SCT) log to check - for a certificate timestamp. - Default is false. Set to true - if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -15006,35 +13981,25 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the - root CA certificate. Optionally - may contain intermediate CA - certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an - optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used to - validate transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -15045,8 +14010,8 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: @@ -15057,21 +14022,14 @@ spec: for keyless signing. type: object ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior by - Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed Certificate - Timestamp (SCT) log to check - for a certificate timestamp. - Default is false. Set to true - if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -15079,15 +14037,10 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the - root CA certificate. Optionally - may contain intermediate CA - certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -15095,23 +14048,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an - optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used to - validate transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -15121,10 +14069,9 @@ spec: type: string type: object roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, the - system roots are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -15137,21 +14084,14 @@ spec: public keys. properties: ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior by - Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed Certificate - Timestamp (SCT) log to check - for a certificate timestamp. - Default is false. Set to true - if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -15159,61 +14099,41 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the - root CA certificate. Optionally - may contain intermediate CA - certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI - to the public key stored in a Key - Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable reference - to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format "k8s:///". - The named Secret must specify a - key `cosign.pub` containing the - public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an - optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used to - validate transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -15248,12 +14168,9 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository will - override other OCI image repository - locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -15263,13 +14180,11 @@ spec: description: Deprecated. Use ImageReferences instead. type: string imageReferences: - description: 'ImageReferences is a list of matching - image reference patterns. At least one pattern in - the list must match the image for the rule to apply. - Each image reference consists of a registry address - (defaults to docker.io), repository, image, and - tag (defaults to latest). Wildcards (''*'' and ''?'') - are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' + description: |- + ImageReferences is a list of matching image reference patterns. At least one pattern in the + list must match the image for the rule to apply. Each image reference consists of a registry + address (defaults to docker.io), repository, image, and tag (defaults to latest). + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -15282,10 +14197,9 @@ spec: access to a registry. type: boolean providers: - description: 'Providers specifies a list of OCI - Registry names, whose authentication providers - are provided. It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers @@ -15299,9 +14213,9 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets - that are provided for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array @@ -15314,16 +14228,15 @@ spec: type: string mutateDigest: default: true - description: MutateDigest enables replacement of image - tags with digests. Defaults to true. + description: |- + MutateDigest enables replacement of image tags with digests. + Defaults to true. type: boolean repository: - description: Repository is an optional alternate OCI - repository to use for image signatures and attestations - that match this rule. If specified Repository will - override the default OCI image repository configured - for the installation. The repository can also be - overridden per Attestor or Attestation. + description: |- + Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule. + If specified Repository will override the default OCI image repository configured for the installation. + The repository can also be overridden per Attestor or Attestation. type: string required: default: true @@ -15338,9 +14251,9 @@ spec: description: Deprecated. Use KeylessAttestor instead. type: string type: - description: Type specifies the method of signature - validation. The allowed options are Cosign and Notary. - By default Cosign is used if a type is not specified. + description: |- + Type specifies the method of signature validation. The allowed options + are Cosign and Notary. By default Cosign is used if a type is not specified. enum: - Cosign - Notary @@ -15365,42 +14278,42 @@ spec: conditions: items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -15414,11 +14327,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -15434,8 +14348,9 @@ spec: description: Deprecated in favor of Conditions type: boolean rulecount: - description: RuleCountStatus contains four variables which describes - counts for validate, generate, mutate and verify images rules + description: |- + RuleCountStatus contains four variables which describes counts for + validate, generate, mutate and verify images rules properties: generate: description: Count for generate rules in policy @@ -15463,10 +14378,9 @@ spec: policy is generated from the policy or not type: boolean message: - description: Message is a human readable message indicating details - about the generation of validating admission policy It is an - empty string when validating admission policy is successfully - generated. + description: |- + Message is a human readable message indicating details about the generation of validating admission policy + It is an empty string when validating admission policy is successfully generated. type: string required: - generated @@ -15528,14 +14442,19 @@ spec: for matching resources. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -15544,94 +14463,98 @@ spec: properties: admission: default: true - description: Admission controls if rules are applied during admission. + description: |- + Admission controls if rules are applied during admission. Optional. Default value is "true". type: boolean applyRules: - description: ApplyRules controls how rules in a policy are applied. - Rule are processed in the order of declaration. When set to `One` - processing stops after a rule has been applied i.e. the rule matches - and results in a pass, fail, or error. When set to `All` all rules - in the policy are processed. The default is `All`. + description: |- + ApplyRules controls how rules in a policy are applied. Rule are processed in + the order of declaration. When set to `One` processing stops after a rule has + been applied i.e. the rule matches and results in a pass, fail, or error. When + set to `All` all rules in the policy are processed. The default is `All`. enum: - All - One type: string background: default: true - description: Background controls if rules are applied to existing - resources during a background scan. Optional. Default value is "true". - The value must be set to "false" if the policy rule uses variables - that are only available in the admission review request (e.g. user - name). + description: |- + Background controls if rules are applied to existing resources during a background scan. + Optional. Default value is "true". The value must be set to "false" if the policy rule + uses variables that are only available in the admission review request (e.g. user name). type: boolean failurePolicy: - description: FailurePolicy defines how unexpected policy errors and - webhook response timeout errors are handled. Rules within the same - policy share the same failure behavior. Allowed values are Ignore - or Fail. Defaults to Fail. + description: |- + FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. + Rules within the same policy share the same failure behavior. + Allowed values are Ignore or Fail. Defaults to Fail. enum: - Ignore - Fail type: string generateExisting: - description: GenerateExisting controls whether to trigger generate - rule in existing resources If is set to "true" generate rule will - be triggered and applied to existing matched resources. Defaults - to "false" if not specified. + description: |- + GenerateExisting controls whether to trigger generate rule in existing resources + If is set to "true" generate rule will be triggered and applied to existing matched resources. + Defaults to "false" if not specified. type: boolean generateExistingOnPolicyUpdate: description: Deprecated, use generateExisting instead type: boolean mutateExistingOnPolicyUpdate: - description: MutateExistingOnPolicyUpdate controls if a mutateExisting - policy is applied on policy events. Default value is "false". + description: |- + MutateExistingOnPolicyUpdate controls if a mutateExisting policy is applied on policy events. + Default value is "false". type: boolean rules: - description: Rules is a list of Rule instances. A Policy contains - multiple rules and each rule can validate, mutate, or generate resources. + description: |- + Rules is a list of Rule instances. A Policy contains multiple rules and + each rule can validate, mutate, or generate resources. items: - description: Rule defines a validation, mutation, or generation - control for matching resources. Each rules contains a match declaration - to select resources, and an optional exclude declaration to specify - which resources to exclude. + description: |- + Rule defines a validation, mutation, or generation control for matching resources. + Each rules contains a match declaration to select resources, and an optional exclude + declaration to specify which resources to exclude. properties: celPreconditions: - description: CELPreconditions are used to determine if a policy - rule should be applied by evaluating a set of CEL conditions. - It can only be used with the validate.cel subrule + description: |- + CELPreconditions are used to determine if a policy rule should be applied by evaluating a + set of CEL conditions. It can only be used with the validate.cel subrule items: description: MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook. properties: expression: - description: "Expression represents the expression which - will be evaluated by CEL. Must evaluate to bool. CEL - expressions have access to the contents of the AdmissionRequest - and Authorizer, organized into CEL variables: \n 'object' - - The object from the incoming request. The value is - null for DELETE requests. 'oldObject' - The existing - object. The value is null for CREATE requests. 'request' - - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). - 'authorizer' - A CEL Authorizer. May be used to perform - authorization checks for the principal (user or service - account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - 'authorizer.requestResource' - A CEL ResourceCheck constructed - from the 'authorizer' and configured with the request - resource. Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ - \n Required." + description: |- + Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. + CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: + + + 'object' - The object from the incoming request. The value is null for DELETE requests. + 'oldObject' - The existing object. The value is null for CREATE requests. + 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. + See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the + request resource. + Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ + + + Required. type: string name: - description: "Name is an identifier for this match condition, - used for strategic merging of MatchConditions, as well - as providing an identifier for logging purposes. A good - name should be descriptive of the associated expression. - Name must be a qualified name consisting of alphanumeric - characters, '-', '_' or '.', and must start and end - with an alphanumeric character (e.g. 'MyName', or 'my.name', - \ or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') - with an optional DNS subdomain prefix and '/' (e.g. - 'example.com/MyName') \n Required." + description: |- + Name is an identifier for this match condition, used for strategic merging of MatchConditions, + as well as providing an identifier for logging purposes. A good name should be descriptive of + the associated expression. + Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and + must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or + '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an + optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') + + + Required. type: string required: - expression @@ -15642,15 +14565,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data sources - to a rule Context. Either a ConfigMap reference or a APILookup - must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the Kubernetes - API server, or other JSON web service. The data returned - is stored in the context with the name for the context - entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data sent to @@ -15672,13 +14594,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the JSON response - returned from the server. For example a JMESPath - of "items | length(@)" applied to the API server - response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across - all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -15693,22 +14614,24 @@ spec: service properties: caBundle: - description: CABundle is a PEM encoded CA bundle - which will be used to validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web service URL. - A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to be used in - the HTTP GET or POST request to the Kubernetes API - server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used by the - `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -15725,8 +14648,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests to an OCI/Docker - V2 registry to fetch image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials provides credentials @@ -15737,10 +14661,9 @@ spec: access to a registry. type: boolean providers: - description: 'Providers specifies a list of OCI - Registry names, whose authentication providers - are provided. It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers @@ -15754,21 +14677,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets - that are provided for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the ImageData struct - returned as a result of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference to a container - image in the registry. Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -15781,13 +14706,14 @@ spec: variable that can be defined inline. properties: default: - description: Default is an optional arbitrary JSON - object that the variable may take if the JMESPath + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath Expression - that can be used to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON object representable @@ -15797,10 +14723,10 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when this policy rule - should not be applied. The exclude criteria can include resource - information (e.g. kind, name, namespace, labels) and admission - review request information like the name or role. + description: |- + ExcludeResources defines when this policy rule should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. properties: all: description: All allows specifying resources which will @@ -15822,11 +14748,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -15834,58 +14759,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -15898,20 +14814,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -15931,42 +14844,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -15979,12 +14885,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -15999,32 +14903,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -16055,11 +14954,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -16067,58 +14965,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -16131,20 +15020,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -16164,42 +15050,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -16212,12 +15091,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -16232,32 +15109,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -16276,10 +15148,10 @@ spec: description: APIVersion specifies resource apiVersion. type: string clone: - description: Clone specifies the source resource used to - populate each generated resource. At most one of Data - or Clone can be specified. If neither are provided, the - generated resource will be created with default data only. + description: |- + Clone specifies the source resource used to populate each generated resource. + At most one of Data or Clone can be specified. If neither are provided, the generated + resource will be created with default data only. properties: name: description: Name specifies name of the resource. @@ -16301,34 +15173,33 @@ spec: description: Namespace specifies source resource namespace. type: string selector: - description: Selector is a label selector. Label keys - and values in `matchLabels`. wildcard characters are - not supported. + description: |- + Selector is a label selector. Label keys and values in `matchLabels`. + wildcard characters are not supported. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -16340,21 +15211,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object data: - description: Data provides the resource declaration used - to populate each generated resource. At most one of Data - or Clone must be specified. If neither are provided, the - generated resource will be created with default data only. + description: |- + Data provides the resource declaration used to populate each generated resource. + At most one of Data or Clone must be specified. If neither are provided, the generated + resource will be created with default data only. x-kubernetes-preserve-unknown-fields: true kind: description: Kind specifies resource kind. @@ -16366,12 +15235,11 @@ spec: description: Namespace specifies resource namespace. type: string synchronize: - description: Synchronize controls if generated resources - should be kept in-sync with their source resource. If - Synchronize is set to "true" changes to generated resources - will be overwritten with resource data from Data or the - resource specified in the Clone declaration. Optional. - Defaults to "false" if not specified. + description: |- + Synchronize controls if generated resources should be kept in-sync with their source resource. + If Synchronize is set to "true" changes to generated resources will be overwritten with resource + data from Data or the resource specified in the Clone declaration. + Optional. Defaults to "false" if not specified. type: boolean uid: description: UID specifies the resource uid. @@ -16382,50 +15250,47 @@ spec: items: properties: jmesPath: - description: 'JMESPath is an optional JMESPath expression - to apply to the image value. This is useful when the - extracted image begins with a prefix like ''docker://''. - The ''trim_prefix'' function may be used to trim the - prefix: trim_prefix(@, ''docker://''). Note - Image - digest mutation may not be used when applying a JMESPAth - to an image.' + description: |- + JMESPath is an optional JMESPath expression to apply to the image value. + This is useful when the extracted image begins with a prefix like 'docker://'. + The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://'). + Note - Image digest mutation may not be used when applying a JMESPAth to an image. type: string key: - description: Key is an optional name of the field within - 'path' that will be used to uniquely identify an image. + description: |- + Key is an optional name of the field within 'path' that will be used to uniquely identify an image. Note - this field MUST be unique. type: string name: - description: Name is the entry the image will be available - under 'images.' in the context. If this field - is not defined, image entries will appear under 'images.custom'. + description: |- + Name is the entry the image will be available under 'images.' in the context. + If this field is not defined, image entries will appear under 'images.custom'. type: string path: - description: Path is the path to the object containing - the image field in a custom resource. It should be - slash-separated. Each slash-separated key must be - a valid YAML key or a wildcard '*'. Wildcard keys - are expanded in case of arrays or objects. + description: |- + Path is the path to the object containing the image field in a custom resource. + It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'. + Wildcard keys are expanded in case of arrays or objects. type: string value: - description: Value is an optional name of the field - within 'path' that points to the image URI. This is - useful when a custom 'key' is also defined. + description: |- + Value is an optional name of the field within 'path' that points to the image URI. + This is useful when a custom 'key' is also defined. type: string required: - path type: object type: array - description: ImageExtractors defines a mapping from kinds to - ImageExtractorConfigs. This config is only valid for verifyImages - rules. + description: |- + ImageExtractors defines a mapping from kinds to ImageExtractorConfigs. + This config is only valid for verifyImages rules. type: object match: - description: MatchResources defines when this policy rule should - be applied. The match criteria can include resource information - (e.g. kind, name, namespace, labels) and admission review - request information like the user name or role. At least one - kind is required. + description: |- + MatchResources defines when this policy rule should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. + At least one kind is required. properties: all: description: All allows specifying resources which will @@ -16447,11 +15312,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -16459,58 +15323,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -16523,20 +15378,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -16556,42 +15408,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -16604,12 +15449,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -16624,32 +15467,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -16680,11 +15518,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -16692,58 +15529,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -16756,20 +15584,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -16789,42 +15614,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -16837,12 +15655,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -16857,32 +15673,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -16911,15 +15722,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data @@ -16941,14 +15751,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -16963,25 +15771,24 @@ spec: JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate the server certificate. type: string url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -16999,8 +15806,8 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. properties: imageRegistryCredentials: @@ -17013,11 +15820,9 @@ spec: insecure access to a registry. type: boolean providers: - description: 'Providers specifies a - list of OCI Registry names, whose - authentication providers are provided. - It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -17031,23 +15836,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list - of secrets that are provided for credentials. + description: |- + Secrets specifies a list of secrets that are provided for credentials. Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -17060,15 +15865,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON @@ -17081,42 +15885,41 @@ spec: description: Foreach declares a nested foreach iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which the - validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string order: - description: Order defines the iteration order on - the list. Can be Ascending to iterate from first - to last element or Descending to iterate in from - last to first element. + description: |- + Order defines the iteration order on the list. + Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element. enum: - Ascending - Descending type: string patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge - patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 - JSON Patch declarations used to modify resources. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, all of the conditions need to - pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -17130,13 +15933,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -17156,20 +15957,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, at least one of the conditions - need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -17183,13 +15982,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -17209,10 +16006,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -17221,14 +16017,15 @@ spec: type: object type: array patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge patch - used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON - Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string targets: description: Targets defines the target resources to be @@ -17244,15 +16041,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data @@ -17274,14 +16070,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -17296,25 +16090,24 @@ spec: JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate the server certificate. type: string url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -17332,8 +16125,8 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. properties: imageRegistryCredentials: @@ -17346,11 +16139,9 @@ spec: insecure access to a registry. type: boolean providers: - description: 'Providers specifies a - list of OCI Registry names, whose - authentication providers are provided. - It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -17364,23 +16155,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list - of secrets that are provided for credentials. + description: |- + Secrets specifies a list of secrets that are provided for credentials. Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -17393,15 +16184,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON @@ -17420,13 +16210,12 @@ spec: description: Namespace specifies resource namespace. type: string preconditions: - description: 'Preconditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. A direct list - of conditions (without `any` or `all` statements - is supported for backwards compatibility but will - be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true uid: description: UID specifies the resource uid. @@ -17440,17 +16229,17 @@ spec: maxLength: 63 type: string preconditions: - description: 'Preconditions are used to determine if a policy - rule should be applied by evaluating a set of conditions. - The declaration can contain nested `any` or `all` statements. - See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based conditional - rule execution. This is useful for finer control of when - an rule is applied. A condition can reference object data - using JMESPath notation. Here, all of the conditions need - to pass. + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass. items: properties: key: @@ -17461,11 +16250,11 @@ spec: description: Message is an optional display message type: string operator: - description: 'Operator is the conditional operation - to perform. Valid operators are: Equals, NotEquals, - In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -17483,18 +16272,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, or set - of values. The values can be fixed set or can be - variables declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based conditional - rule execution. This is useful for finer control of when - an rule is applied. A condition can reference object data - using JMESPath notation. Here, at least one of the conditions - need to pass. + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass. items: properties: key: @@ -17505,11 +16294,11 @@ spec: description: Message is an optional display message type: string operator: - description: 'Operator is the conditional operation - to perform. Valid operators are: Equals, NotEquals, - In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -17527,27 +16316,27 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, or set - of values. The values can be fixed set or can be - variables declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array type: object skipBackgroundRequests: default: true - description: SkipBackgroundRequests bypasses admission requests - that are sent by the background controller. The default value - is set to "true", it must be set to "false" to apply generate - and mutateExisting rules to those requests. + description: |- + SkipBackgroundRequests bypasses admission requests that are sent by the background controller. + The default value is set to "true", it must be set to "false" to apply + generate and mutateExisting rules to those requests. type: boolean validate: description: Validation is used to validate matching resources. properties: anyPattern: - description: AnyPattern specifies list of validation patterns. - At least one of the patterns must be satisfied for the - validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true cel: description: CEL allows validation checks using the Common @@ -17562,39 +16351,45 @@ spec: an audit annotation for an API request. properties: key: - description: "key specifies the audit annotation - key. The audit annotation keys of a ValidatingAdmissionPolicy - must be unique. The key must be a qualified - name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than - 63 bytes in length. \n The key is combined with - the resource name of the ValidatingAdmissionPolicy - to construct an audit annotation key: \"{ValidatingAdmissionPolicy - name}/{key}\". \n If an admission webhook uses - the same resource name as this ValidatingAdmissionPolicy - and the same audit annotation key, the annotation - key will be identical. In this case, the first - annotation written with the key will be included - in the audit event and all subsequent annotations - with the same key will be discarded. \n Required." + description: |- + key specifies the audit annotation key. The audit annotation keys of + a ValidatingAdmissionPolicy must be unique. The key must be a qualified + name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length. + + + The key is combined with the resource name of the + ValidatingAdmissionPolicy to construct an audit annotation key: + "{ValidatingAdmissionPolicy name}/{key}". + + + If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy + and the same audit annotation key, the annotation key will be identical. + In this case, the first annotation written with the key will be included + in the audit event and all subsequent annotations with the same key + will be discarded. + + + Required. type: string valueExpression: - description: "valueExpression represents the expression - which is evaluated by CEL to produce an audit - annotation value. The expression must evaluate - to either a string or null value. If the expression - evaluates to a string, the audit annotation - is included with the string value. If the expression - evaluates to null or empty string the audit - annotation will be omitted. The valueExpression - may be no longer than 5kb in length. If the - result of the valueExpression is more than 10kb - in length, it will be truncated to 10kb. \n - If multiple ValidatingAdmissionPolicyBinding - resources match an API request, then the valueExpression - will be evaluated for each binding. All unique - values produced by the valueExpressions will - be joined together in a comma-separated list. - \n Required." + description: |- + valueExpression represents the expression which is evaluated by CEL to + produce an audit annotation value. The expression must evaluate to either + a string or null value. If the expression evaluates to a string, the + audit annotation is included with the string value. If the expression + evaluates to null or empty string the audit annotation will be omitted. + The valueExpression may be no longer than 5kb in length. + If the result of the valueExpression is more than 10kb in length, it + will be truncated to 10kb. + + + If multiple ValidatingAdmissionPolicyBinding resources match an + API request, then the valueExpression will be evaluated for + each binding. All unique values produced by the valueExpressions + will be joined together in a comma-separated list. + + + Required. type: string required: - key @@ -17610,113 +16405,99 @@ spec: properties: expression: description: "Expression represents the expression - which will be evaluated by CEL. ref: https://github.com/google/cel-spec - CEL expressions have access to the contents - of the API request/response, organized into - CEL variables as well as some other useful variables: - \n - 'object' - The object from the incoming - request. The value is null for DELETE requests. - - 'oldObject' - The existing object. The value - is null for CREATE requests. - 'request' - Attributes - of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - - 'params' - Parameter resource referred to - by the policy binding being evaluated. Only - populated if the policy has a ParamKind. - 'namespaceObject' + which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL + expressions have access to the contents of the + API request/response, organized into CEL variables + as well as some other useful variables:\n\n\n- + 'object' - The object from the incoming request. + The value is null for DELETE requests.\n- 'oldObject' + - The existing object. The value is null for + CREATE requests.\n- 'request' - Attributes of + the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- + 'params' - Parameter resource referred to by + the policy binding being evaluated. Only populated + if the policy has a ParamKind.\n- 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped - resources. - 'variables' - Map of composited + resources.\n- 'variables' - Map of composited variables, from its name to its lazily evaluated - value. For example, a variable named 'foo' can - be accessed as 'variables.foo'. - 'authorizer' + value.\n For example, a variable named 'foo' + can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) - of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - - 'authorizer.requestResource' - A CEL ResourceCheck + of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured - with the request resource. \n The `apiVersion`, + with the\n request resource.\n\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` - are always accessible from the root of the object. - No other metadata properties are accessible. - \n Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` - are accessible. Accessible property names are + are always accessible from the root of the\nobject. + No other metadata properties are accessible.\n\n\nOnly + property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` + are accessible.\nAccessible property names are escaped according to the following rules when - accessed in the expression: - '__' escapes to - '__underscores__' - '.' escapes to '__dot__' - - '-' escapes to '__dash__' - '/' escapes to - '__slash__' - Property names that exactly match + accessed in the expression:\n- '__' escapes + to '__underscores__'\n- '.' escapes to '__dot__'\n- + '-' escapes to '__dash__'\n- '/' escapes to + '__slash__'\n- Property names that exactly match a CEL RESERVED keyword escape to '__{keyword}__'. - The keywords are: \"true\", \"false\", \"null\", - \"in\", \"as\", \"break\", \"const\", \"continue\", - \"else\", \"for\", \"function\", \"if\", \"import\", - \"let\", \"loop\", \"package\", \"namespace\", - \"return\". Examples: - Expression accessing - a property named \"namespace\": {\"Expression\": - \"object.__namespace__ > 0\"} - Expression accessing - a property named \"x-prop\": {\"Expression\": - \"object.x__dash__prop > 0\"} - Expression accessing - a property named \"redact__d\": {\"Expression\": - \"object.redact__underscores__d > 0\"} \n Equality - on arrays with list type of 'set' or 'map' ignores - element order, i.e. [1, 2] == [2, 1]. Concatenation - on arrays with x-kubernetes-list-type use the - semantics of the list type: - 'set': `X + Y` - performs a union where the array positions of - all elements in `X` are preserved and non-intersecting + The keywords are:\n\t \"true\", \"false\", + \"null\", \"in\", \"as\", \"break\", \"const\", + \"continue\", \"else\", \"for\", \"function\", + \"if\",\n\t \"import\", \"let\", \"loop\", + \"package\", \"namespace\", \"return\".\nExamples:\n + \ - Expression accessing a property named \"namespace\": + {\"Expression\": \"object.__namespace__ > 0\"}\n + \ - Expression accessing a property named \"x-prop\": + {\"Expression\": \"object.x__dash__prop > 0\"}\n + \ - Expression accessing a property named \"redact__d\": + {\"Expression\": \"object.redact__underscores__d + > 0\"}\n\n\nEquality on arrays with list type + of 'set' or 'map' ignores element order, i.e. + [1, 2] == [2, 1].\nConcatenation on arrays with + x-kubernetes-list-type use the semantics of + the list type:\n - 'set': `X + Y` performs + a union where the array positions of all elements + in `X` are preserved and\n non-intersecting elements in `Y` are appended, retaining their - partial order. - 'map': `X + Y` performs a merge - where the array positions of all keys in `X` - are preserved but the values are overwritten - by values in `Y` when the key sets of `X` and - `Y` intersect. Elements in `Y` with non-intersecting - keys are appended, retaining their partial order. - Required." + partial order.\n - 'map': `X + Y` performs + a merge where the array positions of all keys + in `X` are preserved but the values\n are + overwritten by values in `Y` when the key sets + of `X` and `Y` intersect. Elements in `Y` with\n + \ non-intersecting keys are appended, retaining + their partial order.\nRequired." type: string message: - description: 'Message represents the message displayed - when validation fails. The message is required - if the Expression contains line breaks. The - message must not contain line breaks. If unset, - the message is "failed rule: {Rule}". e.g. "must - be a URL with the host matching spec.host" If - the Expression contains line breaks. Message - is required. The message must not contain line - breaks. If unset, the message is "failed Expression: - {Expression}".' + description: |- + Message represents the message displayed when validation fails. The message is required if the Expression contains + line breaks. The message must not contain line breaks. + If unset, the message is "failed rule: {Rule}". + e.g. "must be a URL with the host matching spec.host" + If the Expression contains line breaks. Message is required. + The message must not contain line breaks. + If unset, the message is "failed Expression: {Expression}". type: string messageExpression: - description: 'messageExpression declares a CEL - expression that evaluates to the validation - failure message that is returned when this rule - fails. Since messageExpression is used as a - failure message, it must evaluate to a string. - If both message and messageExpression are present - on a validation, then messageExpression will - be used if validation fails. If messageExpression - results in a runtime error, the runtime error - is logged, and the validation failure message - is produced as if the messageExpression field - were unset. If messageExpression evaluates to - an empty string, a string with only spaces, - or a string that contains line breaks, then - the validation failure message will also be - produced as if the messageExpression field were - unset, and the fact that messageExpression produced - an empty string/string with only spaces/string - with line breaks will be logged. messageExpression - has access to all the same variables as the - `expression` except for ''authorizer'' and ''authorizer.requestResource''. - Example: "object.x must be less than max ("+string(params.max)+")"' + description: |- + messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. + Since messageExpression is used as a failure message, it must evaluate to a string. + If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. + If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced + as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string + that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and + the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. + messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'. + Example: + "object.x must be less than max ("+string(params.max)+")" type: string reason: - description: 'Reason represents a machine-readable - description of why this validation failed. If - this is the first validation in the list to - fail, this reason, as well as the corresponding - HTTP response code, are used in the HTTP response - to the client. The currently supported reasons - are: "Unauthorized", "Forbidden", "Invalid", - "RequestEntityTooLarge". If not set, StatusReasonInvalid - is used in the response to the client.' + description: |- + Reason represents a machine-readable description of why this validation failed. + If this is the first validation in the list to fail, this reason, as well as the + corresponding HTTP response code, are used in the + HTTP response to the client. + The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge". + If not set, StatusReasonInvalid is used in the response to the client. type: string required: - expression @@ -17727,13 +16508,15 @@ spec: Version. properties: apiVersion: - description: APIVersion is the API group version - the resources belong to. In format of "group/version". + description: |- + APIVersion is the API group version the resources belong to. + In format of "group/version". Required. type: string kind: - description: Kind is the API kind the resources - belong to. Required. + description: |- + Kind is the API kind the resources belong to. + Required. type: string type: object x-kubernetes-map-type: atomic @@ -17741,77 +16524,82 @@ spec: description: ParamRef references a parameter resource. properties: name: - description: "`name` is the name of the resource - being referenced. \n `name` and `selector` are - mutually exclusive properties. If one is set, - the other must be unset." + description: |- + `name` is the name of the resource being referenced. + + + `name` and `selector` are mutually exclusive properties. If one is set, + the other must be unset. type: string namespace: - description: "namespace is the namespace of the - referenced resource. Allows limiting the search - for params to a specific namespace. Applies to - both `name` and `selector` fields. \n A per-namespace - parameter may be used by specifying a namespace-scoped - `paramKind` in the policy and leaving this field - empty. \n - If `paramKind` is cluster-scoped, - this field MUST be unset. Setting this field results - in a configuration error. \n - If `paramKind` - is namespace-scoped, the namespace of the object - being evaluated for admission will be used when - this field is left unset. Take care that if this - is left empty the binding must not match any cluster-scoped - resources, which will result in an error." + description: |- + namespace is the namespace of the referenced resource. Allows limiting + the search for params to a specific namespace. Applies to both `name` and + `selector` fields. + + + A per-namespace parameter may be used by specifying a namespace-scoped + `paramKind` in the policy and leaving this field empty. + + + - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this + field results in a configuration error. + + + - If `paramKind` is namespace-scoped, the namespace of the object being + evaluated for admission will be used when this field is left unset. Take + care that if this is left empty the binding must not match any cluster-scoped + resources, which will result in an error. type: string parameterNotFoundAction: - description: "`parameterNotFoundAction` controls - the behavior of the binding when the resource - exists, and name or selector is valid, but there - are no parameters matched by the binding. If the - value is set to `Allow`, then no matched parameters - will be treated as successful validation by the - binding. If set to `Deny`, then no matched parameters - will be subject to the `failurePolicy` of the - policy. \n Allowed values are `Allow` or `Deny` - Default to `Deny`" + description: |- + `parameterNotFoundAction` controls the behavior of the binding when the resource + exists, and name or selector is valid, but there are no parameters + matched by the binding. If the value is set to `Allow`, then no + matched parameters will be treated as successful validation by the binding. + If set to `Deny`, then no matched parameters will be subject to the + `failurePolicy` of the policy. + + + Allowed values are `Allow` or `Deny` + Default to `Deny` type: string selector: - description: "selector can be used to match multiple - param objects based on their labels. Supply selector: - {} to match all resources of the ParamKind. \n - If multiple params are found, they are all evaluated - with the policy expressions and the results are - ANDed together. \n One of `name` or `selector` - must be set, but `name` and `selector` are mutually - exclusive properties. If one is set, the other - must be unset." + description: |- + selector can be used to match multiple param objects based on their labels. + Supply selector: {} to match all resources of the ParamKind. + + + If multiple params are found, they are all evaluated with the policy expressions + and the results are ANDed together. + + + One of `name` or `selector` must be set, but `name` and `selector` are + mutually exclusive properties. If one is set, the other must be unset. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -17824,40 +16612,34 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object x-kubernetes-map-type: atomic variables: - description: Variables contain definitions of variables - that can be used in composition of other expressions. + description: |- + Variables contain definitions of variables that can be used in composition of other expressions. Each variable is defined as a named CEL expression. - The variables defined here will be available under - `variables` in other expressions of the policy. + The variables defined here will be available under `variables` in other expressions of the policy. items: description: Variable is the definition of a variable that is used for composition. properties: expression: - description: Expression is the expression that - will be evaluated as the value of the variable. - The CEL expression has access to the same identifiers - as the CEL expressions in Validation. + description: |- + Expression is the expression that will be evaluated as the value of the variable. + The CEL expression has access to the same identifiers as the CEL expressions in Validation. type: string name: - description: Name is the name of the variable. - The name must be a valid CEL identifier and - unique among all variables. The variable can - be accessed in other expressions through `variables` - For example, if name is "foo", the variable - will be available as `variables.foo` + description: |- + Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables. + The variable can be accessed in other expressions through `variables` + For example, if name is "foo", the variable will be available as `variables.foo` type: string required: - expression @@ -17870,14 +16652,15 @@ spec: a validation rule. properties: conditions: - description: 'Multiple conditions can be declared under - an `any` or `all` statement. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + description: |- + Multiple conditions can be declared under an `any` or `all` statement. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A condition - can reference object data using JMESPath notation. + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. Here, all of the conditions need to pass. items: properties: @@ -17890,13 +16673,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators are: - Equals, NotEquals, In, AnyIn, AllIn, NotIn, - AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -17914,17 +16695,17 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A condition - can reference object data using JMESPath notation. + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. Here, at least one of the conditions need to pass. items: properties: @@ -17937,13 +16718,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators are: - Equals, NotEquals, In, AnyIn, AllIn, NotIn, - AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -17961,9 +16740,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -17980,23 +16759,22 @@ spec: the specified logic. properties: anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must be satisfied - for the validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true context: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data @@ -18018,14 +16796,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -18040,25 +16816,24 @@ spec: JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate the server certificate. type: string url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -18076,8 +16851,8 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. properties: imageRegistryCredentials: @@ -18090,11 +16865,9 @@ spec: insecure access to a registry. type: boolean providers: - description: 'Providers specifies a - list of OCI Registry names, whose - authentication providers are provided. - It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -18108,23 +16881,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list - of secrets that are provided for credentials. + description: |- + Secrets specifies a list of secrets that are provided for credentials. Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -18137,15 +16910,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON @@ -18159,47 +16931,43 @@ spec: or fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct - list of conditions (without `any` or `all` statements) - is also supported for backwards compatibility + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object elementScope: - description: ElementScope specifies whether to use - the current list element as the scope for validation. - Defaults to "true" if not specified. When set to - "false", "request.object" is used as the validation - scope within the foreach block to allow referencing - other elements in the subtree. + description: |- + ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified. + When set to "false", "request.object" is used as the validation scope within the foreach + block to allow referencing other elements in the subtree. type: boolean foreach: description: Foreach declares a nested foreach iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which the - validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string pattern: description: Pattern specifies an overlay-style pattern used to check resources. x-kubernetes-preserve-unknown-fields: true preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, all of the conditions need to - pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -18213,13 +16981,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -18239,20 +17005,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, at least one of the conditions - need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -18266,13 +17030,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -18292,10 +17054,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -18317,31 +17078,25 @@ spec: items: properties: count: - description: Count specifies the required number - of entries that must match. If the count is - null, all entries must match (a logical AND). - If the count is 1, at least one entry must match - (a logical OR). If the count contains a value - N, then N must be less than or equal to the - size of entries, and at least N entries must - match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available attestors. - An attestor can be a static key, attributes - for keyless verification, or a nested attestor - declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for image - verification. Every specified key-value - pair must exist and match in the verified - payload. The payload may contain other - key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set of @@ -18362,19 +17117,14 @@ spec: to verify. type: string ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate Timestamps - (SCTs). If the value is unset, the - default behavior by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate - Timestamp (SCT) log to check for - a certificate timestamp. Default - is false. Set to true if this - was opted out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -18382,33 +17132,25 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the root - CA certificate. Optionally may - contain intermediate CA certificates, - and may contain the leaf TSA certificate - if not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use - for a custom Rekor. If set, this - will be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -18419,8 +17161,8 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: @@ -18431,19 +17173,14 @@ spec: signing. type: object ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate Timestamps - (SCTs). If the value is unset, the - default behavior by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate - Timestamp (SCT) log to check for - a certificate timestamp. Default - is false. Set to true if this - was opted out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -18451,14 +17188,10 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the root - CA certificate. Optionally may - contain intermediate CA certificates, - and may contain the leaf TSA certificate - if not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -18466,22 +17199,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use - for a custom Rekor. If set, this - will be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -18491,10 +17220,9 @@ spec: type: string type: object roots: - description: Roots is an optional set - of PEM encoded trusted root certificates. - If not provided, the system roots - are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -18507,19 +17235,14 @@ spec: public keys. properties: ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate Timestamps - (SCTs). If the value is unset, the - default behavior by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate - Timestamp (SCT) log to check for - a certificate timestamp. Default - is false. Set to true if this - was opted out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -18527,57 +17250,41 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the root - CA certificate. Optionally may - contain intermediate CA certificates, - and may contain the leaf TSA certificate - if not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI to - the public key stored in a Key Management - System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image signatures. - The keys can be directly specified - or can be a variable reference to - a key specified in a ConfigMap (see - https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster by - specifying it in the format "k8s:///". - The named Secret must specify a key - `cosign.pub` containing the public - key used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each - key is processed as a separate staticKey - entry (.attestors[*].entries.keys) - within the set of attestors and the - count is applied across the keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use - for a custom Rekor. If set, this - will be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -18611,12 +17318,9 @@ spec: type: string type: object repository: - description: Repository is an optional alternate - OCI repository to use for signatures and - attestations that match this rule. If - specified Repository will override other - OCI image repository locations for this - Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -18657,9 +17361,9 @@ spec: type: object type: array repository: - description: Repository is an optional alternate OCI - repository to use for resource bundle reference. The - repository can be overridden per Attestor or Attestation. + description: |- + Repository is an optional alternate OCI repository to use for resource bundle reference. + The repository can be overridden per Attestor or Attestation. type: string type: object message: @@ -18671,9 +17375,9 @@ spec: used to check resources. x-kubernetes-preserve-unknown-fields: true podSecurity: - description: PodSecurity applies exemptions for Kubernetes - Pod Security admission by specifying exclusions for Pod - Security Standards controls. + description: |- + PodSecurity applies exemptions for Kubernetes Pod Security admission + by specifying exclusions for Pod Security Standards controls. properties: exclude: description: Exclude specifies the Pod Security Standard @@ -18683,8 +17387,9 @@ spec: Security Standard controls to be excluded. properties: controlName: - description: 'ControlName specifies the name of - the Pod Security Standard control. See: https://kubernetes.io/docs/concepts/security/pod-security-standards/' + description: |- + ControlName specifies the name of the Pod Security Standard control. + See: https://kubernetes.io/docs/concepts/security/pod-security-standards/ enum: - HostProcess - Host Namespaces @@ -18703,13 +17408,11 @@ spec: - Running as Non-root user type: string images: - description: 'Images selects matching containers - and applies the container level PSS. Each image - is the image name consisting of the registry - address, repository, image, and tag. Empty list - matches no containers, PSS checks are applied - at the pod level only. Wildcards (''*'' and - ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' + description: |- + Images selects matching containers and applies the container level PSS. + Each image is the image name consisting of the registry address, repository, image, and tag. + Empty list matches no containers, PSS checks are applied at the pod level only. + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -18718,19 +17421,18 @@ spec: type: object type: array level: - description: Level defines the Pod Security Standard - level to be applied to workloads. Allowed values are - privileged, baseline, and restricted. + description: |- + Level defines the Pod Security Standard level to be applied to workloads. + Allowed values are privileged, baseline, and restricted. enum: - privileged - baseline - restricted type: string version: - description: Version defines the Pod Security Standard - versions that Kubernetes supports. Allowed values - are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, - v1.26, latest. Defaults to latest. + description: |- + Version defines the Pod Security Standard versions that Kubernetes supports. + Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, latest. Defaults to latest. enum: - v1.19 - v1.20 @@ -18748,22 +17450,21 @@ spec: description: VerifyImages is used to verify image signatures and mutate them to add a digest items: - description: ImageVerification validates that images that - match the specified pattern are signed with the supplied - public key. Once the image is verified it is mutated to - include the SHA digest retrieved during the registration. + description: |- + ImageVerification validates that images that match the specified pattern + are signed with the supplied public key. Once the image is verified it is + mutated to include the SHA digest retrieved during the registration. properties: attestations: - description: Attestations are optional checks for signed - in-toto Statements used to verify the image. See https://github.com/in-toto/attestation. - Kyverno fetches signed attestations from the OCI registry - and decodes them into a list of Statement declarations. + description: |- + Attestations are optional checks for signed in-toto Statements used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statement declarations. items: - description: Attestation are checks for signed in-toto - Statements that are used to verify the image. See - https://github.com/in-toto/attestation. Kyverno fetches - signed attestations from the OCI registry and decodes - them into a list of Statements. + description: |- + Attestation are checks for signed in-toto Statements that are used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statements. properties: attestors: description: Attestors specify the required attestors @@ -18771,31 +17472,25 @@ spec: items: properties: count: - description: Count specifies the required - number of entries that must match. If the - count is null, all entries must match (a - logical AND). If the count is 1, at least - one entry must match (a logical OR). If - the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or - a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set @@ -18816,21 +17511,14 @@ spec: used to verify. type: string ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -18838,36 +17526,25 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -18878,9 +17555,9 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless - attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: additionalProperties: @@ -18890,21 +17567,14 @@ spec: for keyless signing. type: object ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -18912,15 +17582,10 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -18928,24 +17593,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -18955,10 +17614,9 @@ spec: type: string type: object roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, - the system roots are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -18971,21 +17629,14 @@ spec: public keys. properties: ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -18993,63 +17644,41 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI - to the public key stored in a - Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable - reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -19085,37 +17714,30 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository - will override other OCI image repository - locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array type: object type: array conditions: - description: Conditions are used to verify attributes - within a Predicate. If no Conditions are specified - the attestation check is satisfied as long there - are predicates that match the predicate type. + description: |- + Conditions are used to verify attributes within a Predicate. If no Conditions are specified + the attestation check is satisfied as long there are predicates that match the predicate type. items: - description: AnyAllConditions consists of conditions - wrapped denoting a logical criteria to be fulfilled. - AnyConditions get fulfilled when at least one - of its sub-conditions passes. AllConditions - get fulfilled only when all of its sub-conditions - pass. + description: |- + AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled. + AnyConditions get fulfilled when at least one of its sub-conditions passes. + AllConditions get fulfilled only when all of its sub-conditions pass. properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -19130,14 +17752,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -19157,20 +17776,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -19185,14 +17802,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -19212,10 +17826,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -19237,29 +17850,25 @@ spec: items: properties: count: - description: Count specifies the required number - of entries that must match. If the count is null, - all entries must match (a logical AND). If the - count is 1, at least one entry must match (a logical - OR). If the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available attestors. - An attestor can be a static key, attributes for - keyless verification, or a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for image - verification. Every specified key-value - pair must exist and match in the verified - payload. The payload may contain other key-value - pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set of Attestor @@ -19280,19 +17889,14 @@ spec: to verify. type: string ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for validation - of Signed Certificate Timestamps (SCTs). - If the value is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate Timestamp - (SCT) log to check for a certificate - timestamp. Default is false. Set - to true if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is used @@ -19300,33 +17904,25 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate chain - file for the RFC3161 timestamp authority. - Must contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use for - a custom Rekor. If set, this will - be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address of @@ -19336,8 +17932,8 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: @@ -19348,19 +17944,14 @@ spec: signing. type: object ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for validation - of Signed Certificate Timestamps (SCTs). - If the value is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate Timestamp - (SCT) log to check for a certificate - timestamp. Default is false. Set - to true if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is used @@ -19368,14 +17959,10 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate chain - file for the RFC3161 timestamp authority. - Must contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -19383,22 +17970,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use for - a custom Rekor. If set, this will - be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address of @@ -19407,10 +17990,9 @@ spec: type: string type: object roots: - description: Roots is an optional set - of PEM encoded trusted root certificates. - If not provided, the system roots are - used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified identity @@ -19423,19 +18005,14 @@ spec: keys. properties: ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for validation - of Signed Certificate Timestamps (SCTs). - If the value is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate Timestamp - (SCT) log to check for a certificate - timestamp. Default is false. Set - to true if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is used @@ -19443,56 +18020,41 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate chain - file for the RFC3161 timestamp authority. - Must contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI to - the public key stored in a Key Management - System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 public - keys used to verify image signatures. - The keys can be directly specified or - can be a variable reference to a key - specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes Secret - elsewhere in the cluster by specifying - it in the format "k8s:///". - The named Secret must specify a key - `cosign.pub` containing the public key - used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each - key is processed as a separate staticKey - entry (.attestors[*].entries.keys) within - the set of attestors and the count is - applied across the keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use for - a custom Rekor. If set, this will - be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address of @@ -19525,24 +18087,20 @@ spec: type: string type: object repository: - description: Repository is an optional alternate - OCI repository to use for signatures and - attestations that match this rule. If specified - Repository will override other OCI image - repository locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array type: object type: array imageReferences: - description: 'ImageReferences is a list of matching image - reference patterns. At least one pattern in the list - must match the image for the rule to apply. Each image - reference consists of a registry address (defaults to - docker.io), repository, image, and tag (defaults to - latest). Wildcards (''*'' and ''?'') are allowed. See: - https://kubernetes.io/docs/concepts/containers/images.' + description: |- + ImageReferences is a list of matching image reference patterns. At least one pattern in the + list must match the image for the rule to apply. Each image reference consists of a registry + address (defaults to docker.io), repository, image, and tag (defaults to latest). + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -19555,9 +18113,9 @@ spec: access to a registry. type: boolean providers: - description: 'Providers specifies a list of OCI Registry - names, whose authentication providers are provided. - It can be of one of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers required. @@ -19570,25 +18128,24 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets that - are provided for credentials. Secrets must live - in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object mutateDigest: default: true - description: MutateDigest enables replacement of image - tags with digests. Defaults to true. + description: |- + MutateDigest enables replacement of image tags with digests. + Defaults to true. type: boolean repository: - description: Repository is an optional alternate OCI repository - to use for image signatures and attestations that match - this rule. If specified Repository will override the - default OCI image repository configured for the installation. - The repository can also be overridden per Attestor or - Attestation. + description: |- + Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule. + If specified Repository will override the default OCI image repository configured for the installation. + The repository can also be overridden per Attestor or Attestation. type: string required: default: true @@ -19597,9 +18154,9 @@ spec: check. type: boolean type: - description: Type specifies the method of signature validation. - The allowed options are Cosign and Notary. By default - Cosign is used if a type is not specified. + description: |- + Type specifies the method of signature validation. The allowed options + are Cosign and Notary. By default Cosign is used if a type is not specified. enum: - Cosign - Notary @@ -19621,23 +18178,23 @@ spec: type: object type: array schemaValidation: - description: SchemaValidation skips validation checks for policies - as well as patched resources. Optional. The default value is set - to "true", it must be set to "false" to disable the validation checks. + description: |- + SchemaValidation skips validation checks for policies as well as patched resources. + Optional. The default value is set to "true", it must be set to "false" to disable the validation checks. type: boolean useServerSideApply: - description: UseServerSideApply controls whether to use server-side - apply for generate rules If is set to "true" create & update for - generate rules will use apply instead of create/update. Defaults - to "false" if not specified. + description: |- + UseServerSideApply controls whether to use server-side apply for generate rules + If is set to "true" create & update for generate rules will use apply instead of create/update. + Defaults to "false" if not specified. type: boolean validationFailureAction: default: Audit - description: ValidationFailureAction defines if a validation policy - rule violation should block the admission review request (enforce), - or allow (audit) the admission review request and report an error - in a policy report. Optional. Allowed values are audit or enforce. - The default value is "Audit". + description: |- + ValidationFailureAction defines if a validation policy rule violation should block + the admission review request (enforce), or allow (audit) the admission review request + and report an error in a policy report. Optional. + Allowed values are audit or enforce. The default value is "Audit". enum: - audit - enforce @@ -19645,9 +18202,9 @@ spec: - Enforce type: string validationFailureActionOverrides: - description: ValidationFailureActionOverrides is a Cluster Policy - attribute that specifies ValidationFailureAction namespace-wise. - It overrides ValidationFailureAction for the specified namespaces. + description: |- + ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction + namespace-wise. It overrides ValidationFailureAction for the specified namespaces. items: properties: action: @@ -19660,34 +18217,34 @@ spec: - Enforce type: string namespaceSelector: - description: A label selector is a label query over a set of - resources. The result of matchLabels and matchExpressions - are ANDed. An empty label selector matches all objects. A - null label selector matches no objects. + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. - If the operator is In or NotIn, the values array - must be non-empty. If the operator is Exists or - DoesNotExist, the values array must be empty. This - array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -19699,11 +18256,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -19714,11 +18270,10 @@ spec: type: object type: array webhookTimeoutSeconds: - description: WebhookTimeoutSeconds specifies the maximum time in seconds - allowed to apply this policy. After the configured time expires, - the admission request may fail, or may simply ignore the policy - results, based on the failure policy. The default timeout is 10s, - the value must be between 1 and 30 seconds. + description: |- + WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. + After the configured time expires, the admission request may fail, or may simply ignore the policy results, + based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds. format: int32 type: integer type: object @@ -19732,51 +18287,49 @@ spec: description: Rules is a list of Rule instances. It contains auto generated rules added for pod controllers items: - description: Rule defines a validation, mutation, or generation - control for matching resources. Each rules contains a match - declaration to select resources, and an optional exclude declaration - to specify which resources to exclude. + description: |- + Rule defines a validation, mutation, or generation control for matching resources. + Each rules contains a match declaration to select resources, and an optional exclude + declaration to specify which resources to exclude. properties: celPreconditions: - description: CELPreconditions are used to determine if a - policy rule should be applied by evaluating a set of CEL - conditions. It can only be used with the validate.cel - subrule + description: |- + CELPreconditions are used to determine if a policy rule should be applied by evaluating a + set of CEL conditions. It can only be used with the validate.cel subrule items: description: MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook. properties: expression: - description: "Expression represents the expression - which will be evaluated by CEL. Must evaluate to - bool. CEL expressions have access to the contents - of the AdmissionRequest and Authorizer, organized - into CEL variables: \n 'object' - The object from - the incoming request. The value is null for DELETE - requests. 'oldObject' - The existing object. The - value is null for CREATE requests. 'request' - Attributes - of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). - 'authorizer' - A CEL Authorizer. May be used to - perform authorization checks for the principal (user - or service account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - 'authorizer.requestResource' - A CEL ResourceCheck - constructed from the 'authorizer' and configured - with the request resource. Documentation on CEL: - https://kubernetes.io/docs/reference/using-api/cel/ - \n Required." + description: |- + Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. + CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: + + + 'object' - The object from the incoming request. The value is null for DELETE requests. + 'oldObject' - The existing object. The value is null for CREATE requests. + 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. + See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the + request resource. + Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ + + + Required. type: string name: - description: "Name is an identifier for this match - condition, used for strategic merging of MatchConditions, - as well as providing an identifier for logging purposes. - A good name should be descriptive of the associated - expression. Name must be a qualified name consisting - of alphanumeric characters, '-', '_' or '.', and - must start and end with an alphanumeric character - (e.g. 'MyName', or 'my.name', or '123-abc', regex - used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') - with an optional DNS subdomain prefix and '/' (e.g. - 'example.com/MyName') \n Required." + description: |- + Name is an identifier for this match condition, used for strategic merging of MatchConditions, + as well as providing an identifier for logging purposes. A good name should be descriptive of + the associated expression. + Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and + must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or + '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an + optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') + + + Required. type: string required: - expression @@ -19787,15 +18340,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data sources - to a rule Context. Either a ConfigMap reference or a - APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the Kubernetes - API server, or other JSON web service. The data - returned is stored in the context with the name - for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data sent @@ -19817,13 +18369,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON Match - Expression that can be used to transform the - JSON response returned from the server. For - example a JMESPath of "items | length(@)" applied - to the API server response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across - all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -19838,23 +18389,24 @@ spec: web service properties: caBundle: - description: CABundle is a PEM encoded CA - bundle which will be used to validate the - server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web service URL. - A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to be used - in the HTTP GET or POST request to the Kubernetes - API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used - by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -19871,8 +18423,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests to an - OCI/Docker V2 registry to fetch image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials provides @@ -19884,10 +18437,9 @@ spec: insecure access to a registry. type: boolean providers: - description: 'Providers specifies a list of - OCI Registry names, whose authentication - providers are provided. It can be of one - of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers @@ -19901,23 +18453,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets - that are provided for credentials. Secrets - must live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON Match - Expression that can be used to transform the - ImageData struct returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference to - a container image in the registry. Example: - ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -19930,14 +18482,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take if the - JMESPath expression evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform the - variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON object @@ -19947,11 +18499,10 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when this policy rule - should not be applied. The exclude criteria can include - resource information (e.g. kind, name, namespace, labels) - and admission review request information like the name - or role. + description: |- + ExcludeResources defines when this policy rule should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. properties: all: description: All allows specifying resources which will @@ -19973,10 +18524,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -19985,60 +18535,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -20051,20 +18590,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -20085,44 +18621,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -20135,12 +18662,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -20155,36 +18680,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -20214,10 +18731,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -20226,60 +18742,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -20292,20 +18797,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -20326,44 +18828,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -20376,12 +18869,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -20396,36 +18887,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -20442,21 +18925,19 @@ spec: type: string type: array resources: - description: ResourceDescription contains information - about the resource being created or modified. Requires - at least one tag to be specified when under MatchResources. - Specifying ResourceDescription directly under match - is being deprecated. Please specify under "any" or - "all" instead. + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" - (matches zero or many characters) and "?" (matches - at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -20464,57 +18945,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated in - favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key and - value but does not match an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -20527,20 +19000,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -20560,42 +19030,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) - and `?` (matches one character). Wildcards allows - writing label selectors like ["storage.k8s.io/*": - "*"]. Note that using ["*" : "*"] matches any - key and value but does not match an empty label - set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -20608,12 +19071,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -20628,32 +19089,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or - a value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the - referenced subject. Defaults to "" for ServiceAccount - subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the - Authorizer should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -20669,11 +19126,10 @@ spec: description: APIVersion specifies resource apiVersion. type: string clone: - description: Clone specifies the source resource used - to populate each generated resource. At most one of - Data or Clone can be specified. If neither are provided, - the generated resource will be created with default - data only. + description: |- + Clone specifies the source resource used to populate each generated resource. + At most one of Data or Clone can be specified. If neither are provided, the generated + resource will be created with default data only. properties: name: description: Name specifies name of the resource. @@ -20697,37 +19153,33 @@ spec: namespace. type: string selector: - description: Selector is a label selector. Label - keys and values in `matchLabels`. wildcard characters - are not supported. + description: |- + Selector is a label selector. Label keys and values in `matchLabels`. + wildcard characters are not supported. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -20740,22 +19192,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object data: - description: Data provides the resource declaration - used to populate each generated resource. At most - one of Data or Clone must be specified. If neither - are provided, the generated resource will be created - with default data only. + description: |- + Data provides the resource declaration used to populate each generated resource. + At most one of Data or Clone must be specified. If neither are provided, the generated + resource will be created with default data only. x-kubernetes-preserve-unknown-fields: true kind: description: Kind specifies resource kind. @@ -20767,11 +19216,10 @@ spec: description: Namespace specifies resource namespace. type: string synchronize: - description: Synchronize controls if generated resources - should be kept in-sync with their source resource. - If Synchronize is set to "true" changes to generated - resources will be overwritten with resource data from - Data or the resource specified in the Clone declaration. + description: |- + Synchronize controls if generated resources should be kept in-sync with their source resource. + If Synchronize is set to "true" changes to generated resources will be overwritten with resource + data from Data or the resource specified in the Clone declaration. Optional. Defaults to "false" if not specified. type: boolean uid: @@ -20783,50 +19231,46 @@ spec: items: properties: jmesPath: - description: 'JMESPath is an optional JMESPath expression - to apply to the image value. This is useful when - the extracted image begins with a prefix like - ''docker://''. The ''trim_prefix'' function may - be used to trim the prefix: trim_prefix(@, ''docker://''). - Note - Image digest mutation may not be used when - applying a JMESPAth to an image.' + description: |- + JMESPath is an optional JMESPath expression to apply to the image value. + This is useful when the extracted image begins with a prefix like 'docker://'. + The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://'). + Note - Image digest mutation may not be used when applying a JMESPAth to an image. type: string key: - description: Key is an optional name of the field - within 'path' that will be used to uniquely identify - an image. Note - this field MUST be unique. + description: |- + Key is an optional name of the field within 'path' that will be used to uniquely identify an image. + Note - this field MUST be unique. type: string name: - description: Name is the entry the image will be - available under 'images.' in the context. - If this field is not defined, image entries will - appear under 'images.custom'. + description: |- + Name is the entry the image will be available under 'images.' in the context. + If this field is not defined, image entries will appear under 'images.custom'. type: string path: - description: Path is the path to the object containing - the image field in a custom resource. It should - be slash-separated. Each slash-separated key must - be a valid YAML key or a wildcard '*'. Wildcard - keys are expanded in case of arrays or objects. + description: |- + Path is the path to the object containing the image field in a custom resource. + It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'. + Wildcard keys are expanded in case of arrays or objects. type: string value: - description: Value is an optional name of the field - within 'path' that points to the image URI. This - is useful when a custom 'key' is also defined. + description: |- + Value is an optional name of the field within 'path' that points to the image URI. + This is useful when a custom 'key' is also defined. type: string required: - path type: object type: array - description: ImageExtractors defines a mapping from kinds - to ImageExtractorConfigs. This config is only valid for - verifyImages rules. + description: |- + ImageExtractors defines a mapping from kinds to ImageExtractorConfigs. + This config is only valid for verifyImages rules. type: object match: - description: MatchResources defines when this policy rule - should be applied. The match criteria can include resource - information (e.g. kind, name, namespace, labels) and admission - review request information like the user name or role. + description: |- + MatchResources defines when this policy rule should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. At least one kind is required. properties: all: @@ -20849,10 +19293,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -20861,60 +19304,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -20927,20 +19359,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -20961,44 +19390,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -21011,12 +19431,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -21031,36 +19449,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -21090,10 +19500,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -21102,60 +19511,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -21168,20 +19566,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -21202,44 +19597,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -21252,12 +19638,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -21272,36 +19656,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -21318,21 +19694,19 @@ spec: type: string type: array resources: - description: ResourceDescription contains information - about the resource being created or modified. Requires - at least one tag to be specified when under MatchResources. - Specifying ResourceDescription directly under match - is being deprecated. Please specify under "any" or - "all" instead. + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" - (matches zero or many characters) and "?" (matches - at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -21340,57 +19714,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated in - favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key and - value but does not match an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -21403,20 +19769,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -21436,42 +19799,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) - and `?` (matches one character). Wildcards allows - writing label selectors like ["storage.k8s.io/*": - "*"]. Note that using ["*" : "*"] matches any - key and value but does not match an empty label - set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -21484,12 +19840,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -21504,32 +19858,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or - a value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the - referenced subject. Defaults to "" for ServiceAccount - subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the - Authorizer should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -21556,16 +19906,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST @@ -21588,15 +19936,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -21611,25 +19956,23 @@ spec: to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web - service URL. A typical form is + description: |- + URL is the JSON web service URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string @@ -21649,9 +19992,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials @@ -21663,11 +20006,9 @@ spec: allows insecure access to a registry. type: boolean providers: - description: 'Providers specifies - a list of OCI Registry names, - whose authentication providers - are provided. It can be of one - of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -21681,25 +20022,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a - list of secrets that are provided - for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -21713,15 +20052,14 @@ spec: defined inline. properties: default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary @@ -21736,43 +20074,41 @@ spec: iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which - the validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string order: - description: Order defines the iteration order - on the list. Can be Ascending to iterate from - first to last element or Descending to iterate - in from last to first element. + description: |- + Order defines the iteration order on the list. + Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element. enum: - Ascending - Descending type: string patchStrategicMerge: - description: PatchStrategicMerge is a strategic - merge patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC - 6902 JSON Patch declarations used to modify - resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -21787,14 +20123,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -21814,20 +20147,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -21842,14 +20173,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -21869,10 +20197,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -21881,14 +20208,15 @@ spec: type: object type: array patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge - patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON - Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string targets: description: Targets defines the target resources to @@ -21904,16 +20232,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST @@ -21936,15 +20262,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -21959,25 +20282,23 @@ spec: to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web - service URL. A typical form is + description: |- + URL is the JSON web service URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string @@ -21997,9 +20318,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials @@ -22011,11 +20332,9 @@ spec: allows insecure access to a registry. type: boolean providers: - description: 'Providers specifies - a list of OCI Registry names, - whose authentication providers - are provided. It can be of one - of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -22029,25 +20348,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a - list of secrets that are provided - for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -22061,15 +20378,14 @@ spec: defined inline. properties: default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary @@ -22089,14 +20405,12 @@ spec: description: Namespace specifies resource namespace. type: string preconditions: - description: 'Preconditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. A direct list - of conditions (without `any` or `all` statements - is supported for backwards compatibility but + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/preconditions/' + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true uid: description: UID specifies the resource uid. @@ -22110,27 +20424,32 @@ spec: maxLength: 63 type: string preconditions: - description: 'Preconditions are used to determine if a policy - rule should be applied by evaluating a set of conditions. - The declaration can contain nested `any` or `all` statements. - A direct list of conditions (without `any` or `all` statements - is supported for backwards compatibility but will be deprecated - in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true skipBackgroundRequests: default: true - description: SkipBackgroundRequests bypasses admission requests - that are sent by the background controller. The default - value is set to "true", it must be set to "false" to apply + description: |- + SkipBackgroundRequests bypasses admission requests that are sent by the background controller. + The default value is set to "true", it must be set to "false" to apply generate and mutateExisting rules to those requests. type: boolean validate: description: Validation is used to validate matching resources. properties: + allowExistingViolations: + default: true + description: AllowExistingViolations allows prexisting + violating resources to continue violating a policy. + type: boolean anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must be satisfied - for the validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true cel: description: CEL allows validation checks using the @@ -22145,41 +20464,45 @@ spec: produce an audit annotation for an API request. properties: key: - description: "key specifies the audit annotation - key. The audit annotation keys of a ValidatingAdmissionPolicy - must be unique. The key must be a qualified - name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more - than 63 bytes in length. \n The key is combined - with the resource name of the ValidatingAdmissionPolicy - to construct an audit annotation key: \"{ValidatingAdmissionPolicy - name}/{key}\". \n If an admission webhook - uses the same resource name as this ValidatingAdmissionPolicy - and the same audit annotation key, the annotation - key will be identical. In this case, the - first annotation written with the key will - be included in the audit event and all subsequent - annotations with the same key will be discarded. - \n Required." + description: |- + key specifies the audit annotation key. The audit annotation keys of + a ValidatingAdmissionPolicy must be unique. The key must be a qualified + name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length. + + + The key is combined with the resource name of the + ValidatingAdmissionPolicy to construct an audit annotation key: + "{ValidatingAdmissionPolicy name}/{key}". + + + If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy + and the same audit annotation key, the annotation key will be identical. + In this case, the first annotation written with the key will be included + in the audit event and all subsequent annotations with the same key + will be discarded. + + + Required. type: string valueExpression: - description: "valueExpression represents the - expression which is evaluated by CEL to - produce an audit annotation value. The expression - must evaluate to either a string or null - value. If the expression evaluates to a - string, the audit annotation is included - with the string value. If the expression - evaluates to null or empty string the audit - annotation will be omitted. The valueExpression - may be no longer than 5kb in length. If - the result of the valueExpression is more - than 10kb in length, it will be truncated - to 10kb. \n If multiple ValidatingAdmissionPolicyBinding - resources match an API request, then the - valueExpression will be evaluated for each - binding. All unique values produced by the - valueExpressions will be joined together - in a comma-separated list. \n Required." + description: |- + valueExpression represents the expression which is evaluated by CEL to + produce an audit annotation value. The expression must evaluate to either + a string or null value. If the expression evaluates to a string, the + audit annotation is included with the string value. If the expression + evaluates to null or empty string the audit annotation will be omitted. + The valueExpression may be no longer than 5kb in length. + If the result of the valueExpression is more than 10kb in length, it + will be truncated to 10kb. + + + If multiple ValidatingAdmissionPolicyBinding resources match an + API request, then the valueExpression will be evaluated for + each binding. All unique values produced by the valueExpressions + will be joined together in a comma-separated list. + + + Required. type: string required: - key @@ -22195,124 +20518,104 @@ spec: properties: expression: description: "Expression represents the expression - which will be evaluated by CEL. ref: https://github.com/google/cel-spec - CEL expressions have access to the contents + which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL + expressions have access to the contents of the API request/response, organized into CEL variables as well as some other useful - variables: \n - 'object' - The object from - the incoming request. The value is null - for DELETE requests. - 'oldObject' - The - existing object. The value is null for CREATE - requests. - 'request' - Attributes of the - API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - - 'params' - Parameter resource referred - to by the policy binding being evaluated. - Only populated if the policy has a ParamKind. - - 'namespaceObject' - The namespace object + variables:\n\n\n- 'object' - The object + from the incoming request. The value is + null for DELETE requests.\n- 'oldObject' + - The existing object. The value is null + for CREATE requests.\n- 'request' - Attributes + of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- + 'params' - Parameter resource referred to + by the policy binding being evaluated. Only + populated if the policy has a ParamKind.\n- + 'namespaceObject' - The namespace object that the incoming object belongs to. The - value is null for cluster-scoped resources. - - 'variables' - Map of composited variables, - from its name to its lazily evaluated value. - For example, a variable named 'foo' can - be accessed as 'variables.foo'. - 'authorizer' + value is null for cluster-scoped resources.\n- + 'variables' - Map of composited variables, + from its name to its lazily evaluated value.\n + \ For example, a variable named 'foo' can + be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user - or service account) of the request. See - https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - - 'authorizer.requestResource' - A CEL ResourceCheck + or service account) of the request.\n See + https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured - with the request resource. \n The `apiVersion`, + with the\n request resource.\n\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` - are always accessible from the root of the - object. No other metadata properties are - accessible. \n Only property names of the - form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are - accessible. Accessible property names are - escaped according to the following rules - when accessed in the expression: - '__' - escapes to '__underscores__' - '.' escapes - to '__dot__' - '-' escapes to '__dash__' - - '/' escapes to '__slash__' - Property - names that exactly match a CEL RESERVED - keyword escape to '__{keyword}__'. The keywords - are: \"true\", \"false\", \"null\", \"in\", - \"as\", \"break\", \"const\", \"continue\", - \"else\", \"for\", \"function\", \"if\", - \"import\", \"let\", \"loop\", \"package\", - \"namespace\", \"return\". Examples: - Expression - accessing a property named \"namespace\": - {\"Expression\": \"object.__namespace__ - > 0\"} - Expression accessing a property + are always accessible from the root of the\nobject. + No other metadata properties are accessible.\n\n\nOnly + property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` + are accessible.\nAccessible property names + are escaped according to the following rules + when accessed in the expression:\n- '__' + escapes to '__underscores__'\n- '.' escapes + to '__dot__'\n- '-' escapes to '__dash__'\n- + '/' escapes to '__slash__'\n- Property names + that exactly match a CEL RESERVED keyword + escape to '__{keyword}__'. The keywords + are:\n\t \"true\", \"false\", \"null\", + \"in\", \"as\", \"break\", \"const\", \"continue\", + \"else\", \"for\", \"function\", \"if\",\n\t + \ \"import\", \"let\", \"loop\", \"package\", + \"namespace\", \"return\".\nExamples:\n + \ - Expression accessing a property named + \"namespace\": {\"Expression\": \"object.__namespace__ + > 0\"}\n - Expression accessing a property named \"x-prop\": {\"Expression\": \"object.x__dash__prop - > 0\"} - Expression accessing a property + > 0\"}\n - Expression accessing a property named \"redact__d\": {\"Expression\": \"object.redact__underscores__d - > 0\"} \n Equality on arrays with list type - of 'set' or 'map' ignores element order, - i.e. [1, 2] == [2, 1]. Concatenation on + > 0\"}\n\n\nEquality on arrays with list + type of 'set' or 'map' ignores element order, + i.e. [1, 2] == [2, 1].\nConcatenation on arrays with x-kubernetes-list-type use the - semantics of the list type: - 'set': `X - + Y` performs a union where the array positions - of all elements in `X` are preserved and - non-intersecting elements in `Y` are appended, - retaining their partial order. - 'map': - `X + Y` performs a merge where the array - positions of all keys in `X` are preserved - but the values are overwritten by values - in `Y` when the key sets of `X` and `Y` - intersect. Elements in `Y` with non-intersecting - keys are appended, retaining their partial - order. Required." + semantics of the list type:\n - 'set': + `X + Y` performs a union where the array + positions of all elements in `X` are preserved + and\n non-intersecting elements in `Y` + are appended, retaining their partial order.\n + \ - 'map': `X + Y` performs a merge where + the array positions of all keys in `X` are + preserved but the values\n are overwritten + by values in `Y` when the key sets of `X` + and `Y` intersect. Elements in `Y` with\n + \ non-intersecting keys are appended, + retaining their partial order.\nRequired." type: string message: - description: 'Message represents the message - displayed when validation fails. The message - is required if the Expression contains line - breaks. The message must not contain line - breaks. If unset, the message is "failed - rule: {Rule}". e.g. "must be a URL with - the host matching spec.host" If the Expression - contains line breaks. Message is required. + description: |- + Message represents the message displayed when validation fails. The message is required if the Expression contains + line breaks. The message must not contain line breaks. + If unset, the message is "failed rule: {Rule}". + e.g. "must be a URL with the host matching spec.host" + If the Expression contains line breaks. Message is required. The message must not contain line breaks. - If unset, the message is "failed Expression: - {Expression}".' + If unset, the message is "failed Expression: {Expression}". type: string messageExpression: - description: 'messageExpression declares a - CEL expression that evaluates to the validation - failure message that is returned when this - rule fails. Since messageExpression is used - as a failure message, it must evaluate to - a string. If both message and messageExpression - are present on a validation, then messageExpression - will be used if validation fails. If messageExpression - results in a runtime error, the runtime - error is logged, and the validation failure - message is produced as if the messageExpression - field were unset. If messageExpression evaluates - to an empty string, a string with only spaces, - or a string that contains line breaks, then - the validation failure message will also - be produced as if the messageExpression - field were unset, and the fact that messageExpression - produced an empty string/string with only - spaces/string with line breaks will be logged. - messageExpression has access to all the - same variables as the `expression` except - for ''authorizer'' and ''authorizer.requestResource''. - Example: "object.x must be less than max - ("+string(params.max)+")"' + description: |- + messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. + Since messageExpression is used as a failure message, it must evaluate to a string. + If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. + If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced + as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string + that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and + the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. + messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'. + Example: + "object.x must be less than max ("+string(params.max)+")" type: string reason: - description: 'Reason represents a machine-readable - description of why this validation failed. - If this is the first validation in the list - to fail, this reason, as well as the corresponding - HTTP response code, are used in the HTTP - response to the client. The currently supported - reasons are: "Unauthorized", "Forbidden", - "Invalid", "RequestEntityTooLarge". If not - set, StatusReasonInvalid is used in the - response to the client.' + description: |- + Reason represents a machine-readable description of why this validation failed. + If this is the first validation in the list to fail, this reason, as well as the + corresponding HTTP response code, are used in the + HTTP response to the client. + The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge". + If not set, StatusReasonInvalid is used in the response to the client. type: string required: - expression @@ -22323,13 +20626,15 @@ spec: and Version. properties: apiVersion: - description: APIVersion is the API group version - the resources belong to. In format of "group/version". + description: |- + APIVersion is the API group version the resources belong to. + In format of "group/version". Required. type: string kind: - description: Kind is the API kind the resources - belong to. Required. + description: |- + Kind is the API kind the resources belong to. + Required. type: string type: object x-kubernetes-map-type: atomic @@ -22337,82 +20642,83 @@ spec: description: ParamRef references a parameter resource. properties: name: - description: "`name` is the name of the resource - being referenced. \n `name` and `selector` - are mutually exclusive properties. If one - is set, the other must be unset." + description: |- + `name` is the name of the resource being referenced. + + + `name` and `selector` are mutually exclusive properties. If one is set, + the other must be unset. type: string namespace: - description: "namespace is the namespace of - the referenced resource. Allows limiting the - search for params to a specific namespace. - Applies to both `name` and `selector` fields. - \n A per-namespace parameter may be used by - specifying a namespace-scoped `paramKind` - in the policy and leaving this field empty. - \n - If `paramKind` is cluster-scoped, this - field MUST be unset. Setting this field results - in a configuration error. \n - If `paramKind` - is namespace-scoped, the namespace of the - object being evaluated for admission will - be used when this field is left unset. Take - care that if this is left empty the binding - must not match any cluster-scoped resources, - which will result in an error." + description: |- + namespace is the namespace of the referenced resource. Allows limiting + the search for params to a specific namespace. Applies to both `name` and + `selector` fields. + + + A per-namespace parameter may be used by specifying a namespace-scoped + `paramKind` in the policy and leaving this field empty. + + + - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this + field results in a configuration error. + + + - If `paramKind` is namespace-scoped, the namespace of the object being + evaluated for admission will be used when this field is left unset. Take + care that if this is left empty the binding must not match any cluster-scoped + resources, which will result in an error. type: string parameterNotFoundAction: - description: "`parameterNotFoundAction` controls - the behavior of the binding when the resource - exists, and name or selector is valid, but - there are no parameters matched by the binding. - If the value is set to `Allow`, then no matched - parameters will be treated as successful validation - by the binding. If set to `Deny`, then no - matched parameters will be subject to the - `failurePolicy` of the policy. \n Allowed - values are `Allow` or `Deny` Default to `Deny`" + description: |- + `parameterNotFoundAction` controls the behavior of the binding when the resource + exists, and name or selector is valid, but there are no parameters + matched by the binding. If the value is set to `Allow`, then no + matched parameters will be treated as successful validation by the binding. + If set to `Deny`, then no matched parameters will be subject to the + `failurePolicy` of the policy. + + + Allowed values are `Allow` or `Deny` + Default to `Deny` type: string selector: - description: "selector can be used to match - multiple param objects based on their labels. - Supply selector: {} to match all resources - of the ParamKind. \n If multiple params are - found, they are all evaluated with the policy - expressions and the results are ANDed together. - \n One of `name` or `selector` must be set, - but `name` and `selector` are mutually exclusive - properties. If one is set, the other must - be unset." + description: |- + selector can be used to match multiple param objects based on their labels. + Supply selector: {} to match all resources of the ParamKind. + + + If multiple params are found, they are all evaluated with the policy expressions + and the results are ANDed together. + + + One of `name` or `selector` must be set, but `name` and `selector` are + mutually exclusive properties. If one is set, the other must be unset. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -22424,41 +20730,34 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object x-kubernetes-map-type: atomic variables: - description: Variables contain definitions of variables - that can be used in composition of other expressions. + description: |- + Variables contain definitions of variables that can be used in composition of other expressions. Each variable is defined as a named CEL expression. - The variables defined here will be available under - `variables` in other expressions of the policy. + The variables defined here will be available under `variables` in other expressions of the policy. items: description: Variable is the definition of a variable that is used for composition. properties: expression: - description: Expression is the expression - that will be evaluated as the value of the - variable. The CEL expression has access - to the same identifiers as the CEL expressions - in Validation. + description: |- + Expression is the expression that will be evaluated as the value of the variable. + The CEL expression has access to the same identifiers as the CEL expressions in Validation. type: string name: - description: Name is the name of the variable. - The name must be a valid CEL identifier - and unique among all variables. The variable - can be accessed in other expressions through - `variables` For example, if name is "foo", - the variable will be available as `variables.foo` + description: |- + Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables. + The variable can be accessed in other expressions through `variables` + For example, if name is "foo", the variable will be available as `variables.foo` type: string required: - expression @@ -22471,12 +20770,11 @@ spec: fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct list - of conditions (without `any` or `all` statements) - is also supported for backwards compatibility + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object foreach: @@ -22491,24 +20789,22 @@ spec: apply the specified logic. properties: anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must - be satisfied for the validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true context: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST @@ -22531,15 +20827,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -22554,25 +20847,23 @@ spec: to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web - service URL. A typical form is + description: |- + URL is the JSON web service URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string @@ -22592,9 +20883,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials @@ -22606,11 +20897,9 @@ spec: allows insecure access to a registry. type: boolean providers: - description: 'Providers specifies - a list of OCI Registry names, - whose authentication providers - are provided. It can be of one - of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -22624,25 +20913,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a - list of secrets that are provided - for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -22656,15 +20943,14 @@ spec: defined inline. properties: default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary @@ -22679,48 +20965,44 @@ spec: or fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct - list of conditions (without `any` or `all` - statements) is also supported for backwards - compatibility but will be deprecated in - the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object elementScope: - description: ElementScope specifies whether to - use the current list element as the scope for - validation. Defaults to "true" if not specified. - When set to "false", "request.object" is used - as the validation scope within the foreach block - to allow referencing other elements in the subtree. + description: |- + ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified. + When set to "false", "request.object" is used as the validation scope within the foreach + block to allow referencing other elements in the subtree. type: boolean foreach: description: Foreach declares a nested foreach iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which - the validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string pattern: description: Pattern specifies an overlay-style pattern used to check resources. x-kubernetes-preserve-unknown-fields: true preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -22735,14 +21017,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -22762,20 +21041,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -22790,14 +21067,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -22817,10 +21091,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -22843,31 +21116,25 @@ spec: items: properties: count: - description: Count specifies the required - number of entries that must match. If the - count is null, all entries must match (a - logical AND). If the count is 1, at least - one entry must match (a logical OR). If - the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or - a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set @@ -22888,21 +21155,14 @@ spec: used to verify. type: string ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -22910,36 +21170,25 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -22950,9 +21199,9 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless - attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: additionalProperties: @@ -22962,21 +21211,14 @@ spec: for keyless signing. type: object ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -22984,15 +21226,10 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -23000,24 +21237,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -23027,10 +21258,9 @@ spec: type: string type: object roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, - the system roots are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -23043,21 +21273,14 @@ spec: public keys. properties: ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -23065,63 +21288,41 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI - to the public key stored in a - Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable - reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -23157,12 +21358,9 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository - will override other OCI image repository - locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -23203,10 +21401,9 @@ spec: type: object type: array repository: - description: Repository is an optional alternate - OCI repository to use for resource bundle reference. - The repository can be overridden per Attestor - or Attestation. + description: |- + Repository is an optional alternate OCI repository to use for resource bundle reference. + The repository can be overridden per Attestor or Attestation. type: string type: object message: @@ -23218,9 +21415,9 @@ spec: used to check resources. x-kubernetes-preserve-unknown-fields: true podSecurity: - description: PodSecurity applies exemptions for Kubernetes - Pod Security admission by specifying exclusions for - Pod Security Standards controls. + description: |- + PodSecurity applies exemptions for Kubernetes Pod Security admission + by specifying exclusions for Pod Security Standards controls. properties: exclude: description: Exclude specifies the Pod Security @@ -23230,9 +21427,9 @@ spec: Pod Security Standard controls to be excluded. properties: controlName: - description: 'ControlName specifies the name - of the Pod Security Standard control. See: - https://kubernetes.io/docs/concepts/security/pod-security-standards/' + description: |- + ControlName specifies the name of the Pod Security Standard control. + See: https://kubernetes.io/docs/concepts/security/pod-security-standards/ enum: - HostProcess - Host Namespaces @@ -23251,14 +21448,11 @@ spec: - Running as Non-root user type: string images: - description: 'Images selects matching containers - and applies the container level PSS. Each - image is the image name consisting of the - registry address, repository, image, and - tag. Empty list matches no containers, PSS - checks are applied at the pod level only. - Wildcards (''*'' and ''?'') are allowed. - See: https://kubernetes.io/docs/concepts/containers/images.' + description: |- + Images selects matching containers and applies the container level PSS. + Each image is the image name consisting of the registry address, repository, image, and tag. + Empty list matches no containers, PSS checks are applied at the pod level only. + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -23267,19 +21461,18 @@ spec: type: object type: array level: - description: Level defines the Pod Security Standard - level to be applied to workloads. Allowed values - are privileged, baseline, and restricted. + description: |- + Level defines the Pod Security Standard level to be applied to workloads. + Allowed values are privileged, baseline, and restricted. enum: - privileged - baseline - restricted type: string version: - description: Version defines the Pod Security Standard - versions that Kubernetes supports. Allowed values - are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, - v1.25, v1.26, latest. Defaults to latest. + description: |- + Version defines the Pod Security Standard versions that Kubernetes supports. + Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, latest. Defaults to latest. enum: - v1.19 - v1.20 @@ -23297,10 +21490,10 @@ spec: description: VerifyImages is used to verify image signatures and mutate them to add a digest items: - description: ImageVerification validates that images that - match the specified pattern are signed with the supplied - public key. Once the image is verified it is mutated - to include the SHA digest retrieved during the registration. + description: |- + ImageVerification validates that images that match the specified pattern + are signed with the supplied public key. Once the image is verified it is + mutated to include the SHA digest retrieved during the registration. properties: additionalExtensions: additionalProperties: @@ -23314,17 +21507,15 @@ spec: instead. type: object attestations: - description: Attestations are optional checks for - signed in-toto Statements used to verify the image. - See https://github.com/in-toto/attestation. Kyverno - fetches signed attestations from the OCI registry - and decodes them into a list of Statement declarations. + description: |- + Attestations are optional checks for signed in-toto Statements used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statement declarations. items: - description: Attestation are checks for signed in-toto - Statements that are used to verify the image. - See https://github.com/in-toto/attestation. Kyverno - fetches signed attestations from the OCI registry - and decodes them into a list of Statements. + description: |- + Attestation are checks for signed in-toto Statements that are used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statements. properties: attestors: description: Attestors specify the required @@ -23332,33 +21523,25 @@ spec: items: properties: count: - description: Count specifies the required - number of entries that must match. If - the count is null, all entries must - match (a logical AND). If the count - is 1, at least one entry must match - (a logical OR). If the count contains - a value N, then N must be less than - or equal to the size of entries, and - at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static - key, attributes for keyless verification, - or a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used - for image verification. Every - specified key-value pair must - exist and match in the verified - payload. The payload may contain - other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested @@ -23379,23 +21562,14 @@ spec: certificates used to verify. type: string ctlog: - description: CTLog (certificate - timestamp log) provides a - configuration for validation - of Signed Certificate Timestamps - (SCTs). If the value is unset, - the default behavior by Cosign - is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp - (SCT) log to check for - a certificate timestamp. - Default is false. Set - to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if @@ -23404,27 +21578,16 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, - if set, is the PEM-encoded - certificate chain file - for the RFC3161 timestamp - authority. Must contain - the root CA certificate. - Optionally may contain - intermediate CA certificates, - and may contain the leaf - TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If an empty object is provided - the public instance of Rekor - (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog @@ -23432,13 +21595,9 @@ spec: verification. type: boolean pubkey: - description: RekorPubKey - is an optional PEM-encoded - public key to use for - a custom Rekor. If set, - this will be used to validate - transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the @@ -23449,9 +21608,9 @@ spec: type: object type: object keyless: - description: Keyless is a set of - attribute used to verify a Sigstore - keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: additionalProperties: @@ -23461,23 +21620,14 @@ spec: used for keyless signing. type: object ctlog: - description: CTLog (certificate - timestamp log) provides a - configuration for validation - of Signed Certificate Timestamps - (SCTs). If the value is unset, - the default behavior by Cosign - is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp - (SCT) log to check for - a certificate timestamp. - Default is false. Set - to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if @@ -23486,17 +21636,10 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, - if set, is the PEM-encoded - certificate chain file - for the RFC3161 timestamp - authority. Must contain - the root CA certificate. - Optionally may contain - intermediate CA certificates, - and may contain the leaf - TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -23504,13 +21647,9 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If an empty object is provided - the public instance of Rekor - (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog @@ -23518,13 +21657,9 @@ spec: verification. type: boolean pubkey: - description: RekorPubKey - is an optional PEM-encoded - public key to use for - a custom Rekor. If set, - this will be used to validate - transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the @@ -23534,11 +21669,9 @@ spec: type: string type: object roots: - description: Roots is an optional - set of PEM encoded trusted - root certificates. If not - provided, the system roots - are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the @@ -23552,23 +21685,14 @@ spec: or more public keys. properties: ctlog: - description: CTLog (certificate - timestamp log) provides a - configuration for validation - of Signed Certificate Timestamps - (SCTs). If the value is unset, - the default behavior by Cosign - is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp - (SCT) log to check for - a certificate timestamp. - Default is false. Set - to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if @@ -23577,56 +21701,32 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, - if set, is the PEM-encoded - certificate chain file - for the RFC3161 timestamp - authority. Must contain - the root CA certificate. - Optionally may contain - intermediate CA certificates, - and may contain the leaf - TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the - URI to the public key stored - in a Key Management System. - See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of - X.509 public keys used to - verify image signatures. The - keys can be directly specified - or can be a variable reference - to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a - separate staticKey entry (.attestors[*].entries.keys) - within the set of attestors - and the count is applied across - the keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If an empty object is provided - the public instance of Rekor - (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog @@ -23634,13 +21734,9 @@ spec: verification. type: boolean pubkey: - description: RekorPubKey - is an optional PEM-encoded - public key to use for - a custom Rekor. If set, - this will be used to validate - transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the @@ -23677,40 +21773,30 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use - for signatures and attestations - that match this rule. If specified - Repository will override other - OCI image repository locations - for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array type: object type: array conditions: - description: Conditions are used to verify attributes - within a Predicate. If no Conditions are specified - the attestation check is satisfied as long - there are predicates that match the predicate - type. + description: |- + Conditions are used to verify attributes within a Predicate. If no Conditions are specified + the attestation check is satisfied as long there are predicates that match the predicate type. items: - description: AnyAllConditions consists of - conditions wrapped denoting a logical criteria - to be fulfilled. AnyConditions get fulfilled - when at least one of its sub-conditions - passes. AllConditions get fulfilled only - when all of its sub-conditions pass. + description: |- + AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled. + AnyConditions get fulfilled when at least one of its sub-conditions passes. + AllConditions get fulfilled only when all of its sub-conditions pass. properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is - useful for finer control of when an - rule is applied. A condition can reference - object data using JMESPath notation. - Here, all of the conditions need to - pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -23725,14 +21811,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -23752,21 +21835,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is - useful for finer control of when an - rule is applied. A condition can reference - object data using JMESPath notation. - Here, at least one of the conditions - need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -23781,14 +21861,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -23808,10 +21885,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -23833,31 +21909,25 @@ spec: items: properties: count: - description: Count specifies the required number - of entries that must match. If the count is - null, all entries must match (a logical AND). - If the count is 1, at least one entry must - match (a logical OR). If the count contains - a value N, then N must be less than or equal - to the size of entries, and at least N entries - must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or a - nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set @@ -23878,21 +21948,14 @@ spec: used to verify. type: string ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior by - Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed Certificate - Timestamp (SCT) log to check - for a certificate timestamp. - Default is false. Set to true - if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -23900,35 +21963,25 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the - root CA certificate. Optionally - may contain intermediate CA - certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an - optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used to - validate transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -23939,8 +21992,8 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: @@ -23951,21 +22004,14 @@ spec: for keyless signing. type: object ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior by - Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed Certificate - Timestamp (SCT) log to check - for a certificate timestamp. - Default is false. Set to true - if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -23973,15 +22019,10 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the - root CA certificate. Optionally - may contain intermediate CA - certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -23989,23 +22030,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an - optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used to - validate transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -24015,10 +22051,9 @@ spec: type: string type: object roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, the - system roots are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -24031,21 +22066,14 @@ spec: public keys. properties: ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior by - Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed Certificate - Timestamp (SCT) log to check - for a certificate timestamp. - Default is false. Set to true - if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -24053,61 +22081,41 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the - root CA certificate. Optionally - may contain intermediate CA - certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI - to the public key stored in a Key - Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable reference - to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format "k8s:///". - The named Secret must specify a - key `cosign.pub` containing the - public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an - optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used to - validate transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -24142,12 +22150,9 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository will - override other OCI image repository - locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -24157,13 +22162,11 @@ spec: description: Deprecated. Use ImageReferences instead. type: string imageReferences: - description: 'ImageReferences is a list of matching - image reference patterns. At least one pattern in - the list must match the image for the rule to apply. - Each image reference consists of a registry address - (defaults to docker.io), repository, image, and - tag (defaults to latest). Wildcards (''*'' and ''?'') - are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' + description: |- + ImageReferences is a list of matching image reference patterns. At least one pattern in the + list must match the image for the rule to apply. Each image reference consists of a registry + address (defaults to docker.io), repository, image, and tag (defaults to latest). + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -24176,10 +22179,9 @@ spec: access to a registry. type: boolean providers: - description: 'Providers specifies a list of OCI - Registry names, whose authentication providers - are provided. It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers @@ -24193,9 +22195,9 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets - that are provided for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array @@ -24208,16 +22210,15 @@ spec: type: string mutateDigest: default: true - description: MutateDigest enables replacement of image - tags with digests. Defaults to true. + description: |- + MutateDigest enables replacement of image tags with digests. + Defaults to true. type: boolean repository: - description: Repository is an optional alternate OCI - repository to use for image signatures and attestations - that match this rule. If specified Repository will - override the default OCI image repository configured - for the installation. The repository can also be - overridden per Attestor or Attestation. + description: |- + Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule. + If specified Repository will override the default OCI image repository configured for the installation. + The repository can also be overridden per Attestor or Attestation. type: string required: default: true @@ -24232,9 +22233,9 @@ spec: description: Deprecated. Use KeylessAttestor instead. type: string type: - description: Type specifies the method of signature - validation. The allowed options are Cosign and Notary. - By default Cosign is used if a type is not specified. + description: |- + Type specifies the method of signature validation. The allowed options + are Cosign and Notary. By default Cosign is used if a type is not specified. enum: - Cosign - Notary @@ -24259,42 +22260,42 @@ spec: conditions: items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -24308,11 +22309,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -24328,8 +22330,9 @@ spec: description: Deprecated in favor of Conditions type: boolean rulecount: - description: RuleCountStatus contains four variables which describes - counts for validate, generate, mutate and verify images rules + description: |- + RuleCountStatus contains four variables which describes counts for + validate, generate, mutate and verify images rules properties: generate: description: Count for generate rules in policy @@ -24357,10 +22360,9 @@ spec: policy is generated from the policy or not type: boolean message: - description: Message is a human readable message indicating details - about the generation of validating admission policy It is an - empty string when validating admission policy is successfully - generated. + description: |- + Message is a human readable message indicating details about the generation of validating admission policy + It is an empty string when validating admission policy is successfully generated. type: string required: - generated @@ -24386,7 +22388,7 @@ metadata: {{- with .Values.annotations }} {{- toYaml . | nindent 4 }} {{- end }} - controller-gen.kubebuilder.io/version: v0.12.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: policies.kyverno.io spec: group: kyverno.io @@ -24443,19 +22445,24 @@ spec: name: v1 schema: openAPIV3Schema: - description: 'Policy declares validation, mutation, and generation behaviors - for matching resources. See: https://kyverno.io/docs/writing-policies/ for - more information.' + description: |- + Policy declares validation, mutation, and generation behaviors for matching resources. + See: https://kyverno.io/docs/writing-policies/ for more information. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -24464,95 +22471,99 @@ spec: properties: admission: default: true - description: Admission controls if rules are applied during admission. + description: |- + Admission controls if rules are applied during admission. Optional. Default value is "true". type: boolean applyRules: - description: ApplyRules controls how rules in a policy are applied. - Rule are processed in the order of declaration. When set to `One` - processing stops after a rule has been applied i.e. the rule matches - and results in a pass, fail, or error. When set to `All` all rules - in the policy are processed. The default is `All`. + description: |- + ApplyRules controls how rules in a policy are applied. Rule are processed in + the order of declaration. When set to `One` processing stops after a rule has + been applied i.e. the rule matches and results in a pass, fail, or error. When + set to `All` all rules in the policy are processed. The default is `All`. enum: - All - One type: string background: default: true - description: Background controls if rules are applied to existing - resources during a background scan. Optional. Default value is "true". - The value must be set to "false" if the policy rule uses variables - that are only available in the admission review request (e.g. user - name). + description: |- + Background controls if rules are applied to existing resources during a background scan. + Optional. Default value is "true". The value must be set to "false" if the policy rule + uses variables that are only available in the admission review request (e.g. user name). type: boolean failurePolicy: - description: FailurePolicy defines how unexpected policy errors and - webhook response timeout errors are handled. Rules within the same - policy share the same failure behavior. This field should not be - accessed directly, instead `GetFailurePolicy()` should be used. + description: |- + FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. + Rules within the same policy share the same failure behavior. + This field should not be accessed directly, instead `GetFailurePolicy()` should be used. Allowed values are Ignore or Fail. Defaults to Fail. enum: - Ignore - Fail type: string generateExisting: - description: GenerateExisting controls whether to trigger generate - rule in existing resources If is set to "true" generate rule will - be triggered and applied to existing matched resources. Defaults - to "false" if not specified. + description: |- + GenerateExisting controls whether to trigger generate rule in existing resources + If is set to "true" generate rule will be triggered and applied to existing matched resources. + Defaults to "false" if not specified. type: boolean generateExistingOnPolicyUpdate: description: Deprecated, use generateExisting instead type: boolean mutateExistingOnPolicyUpdate: - description: MutateExistingOnPolicyUpdate controls if a mutateExisting - policy is applied on policy events. Default value is "false". + description: |- + MutateExistingOnPolicyUpdate controls if a mutateExisting policy is applied on policy events. + Default value is "false". type: boolean rules: - description: Rules is a list of Rule instances. A Policy contains - multiple rules and each rule can validate, mutate, or generate resources. + description: |- + Rules is a list of Rule instances. A Policy contains multiple rules and + each rule can validate, mutate, or generate resources. items: - description: Rule defines a validation, mutation, or generation - control for matching resources. Each rules contains a match declaration - to select resources, and an optional exclude declaration to specify - which resources to exclude. + description: |- + Rule defines a validation, mutation, or generation control for matching resources. + Each rules contains a match declaration to select resources, and an optional exclude + declaration to specify which resources to exclude. properties: celPreconditions: - description: CELPreconditions are used to determine if a policy - rule should be applied by evaluating a set of CEL conditions. - It can only be used with the validate.cel subrule + description: |- + CELPreconditions are used to determine if a policy rule should be applied by evaluating a + set of CEL conditions. It can only be used with the validate.cel subrule items: description: MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook. properties: expression: - description: "Expression represents the expression which - will be evaluated by CEL. Must evaluate to bool. CEL - expressions have access to the contents of the AdmissionRequest - and Authorizer, organized into CEL variables: \n 'object' - - The object from the incoming request. The value is - null for DELETE requests. 'oldObject' - The existing - object. The value is null for CREATE requests. 'request' - - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). - 'authorizer' - A CEL Authorizer. May be used to perform - authorization checks for the principal (user or service - account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - 'authorizer.requestResource' - A CEL ResourceCheck constructed - from the 'authorizer' and configured with the request - resource. Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ - \n Required." + description: |- + Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. + CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: + + + 'object' - The object from the incoming request. The value is null for DELETE requests. + 'oldObject' - The existing object. The value is null for CREATE requests. + 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. + See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the + request resource. + Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ + + + Required. type: string name: - description: "Name is an identifier for this match condition, - used for strategic merging of MatchConditions, as well - as providing an identifier for logging purposes. A good - name should be descriptive of the associated expression. - Name must be a qualified name consisting of alphanumeric - characters, '-', '_' or '.', and must start and end - with an alphanumeric character (e.g. 'MyName', or 'my.name', - \ or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') - with an optional DNS subdomain prefix and '/' (e.g. - 'example.com/MyName') \n Required." + description: |- + Name is an identifier for this match condition, used for strategic merging of MatchConditions, + as well as providing an identifier for logging purposes. A good name should be descriptive of + the associated expression. + Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and + must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or + '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an + optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') + + + Required. type: string required: - expression @@ -24563,15 +22574,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data sources - to a rule Context. Either a ConfigMap reference or a APILookup - must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the Kubernetes - API server, or other JSON web service. The data returned - is stored in the context with the name for the context - entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data sent to @@ -24593,13 +22603,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the JSON response - returned from the server. For example a JMESPath - of "items | length(@)" applied to the API server - response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across - all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -24614,22 +22623,24 @@ spec: service properties: caBundle: - description: CABundle is a PEM encoded CA bundle - which will be used to validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web service URL. - A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to be used in - the HTTP GET or POST request to the Kubernetes API - server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used by the - `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -24646,8 +22657,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests to an OCI/Docker - V2 registry to fetch image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials provides credentials @@ -24658,10 +22670,9 @@ spec: access to a registry. type: boolean providers: - description: 'Providers specifies a list of OCI - Registry names, whose authentication providers - are provided. It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers @@ -24675,21 +22686,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets - that are provided for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the ImageData struct - returned as a result of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference to a container - image in the registry. Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -24702,13 +22715,14 @@ spec: variable that can be defined inline. properties: default: - description: Default is an optional arbitrary JSON - object that the variable may take if the JMESPath + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath Expression - that can be used to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON object representable @@ -24718,10 +22732,10 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when this policy rule - should not be applied. The exclude criteria can include resource - information (e.g. kind, name, namespace, labels) and admission - review request information like the name or role. + description: |- + ExcludeResources defines when this policy rule should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. properties: all: description: All allows specifying resources which will @@ -24743,11 +22757,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -24755,58 +22768,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -24819,20 +22823,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -24852,42 +22853,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -24900,12 +22894,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -24920,32 +22912,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -24976,11 +22963,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -24988,58 +22974,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -25052,20 +23029,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -25085,42 +23059,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -25133,12 +23100,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -25153,32 +23118,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -25196,20 +23156,19 @@ spec: type: string type: array resources: - description: ResourceDescription contains information about - the resource being created or modified. Requires at least - one tag to be specified when under MatchResources. Specifying - ResourceDescription directly under match is being deprecated. + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. Please specify under "any" or "all" instead. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -25217,52 +23176,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -25274,19 +23230,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -25306,38 +23260,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -25349,12 +23300,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -25369,32 +23318,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -25410,10 +23355,10 @@ spec: description: APIVersion specifies resource apiVersion. type: string clone: - description: Clone specifies the source resource used to - populate each generated resource. At most one of Data - or Clone can be specified. If neither are provided, the - generated resource will be created with default data only. + description: |- + Clone specifies the source resource used to populate each generated resource. + At most one of Data or Clone can be specified. If neither are provided, the generated + resource will be created with default data only. properties: name: description: Name specifies name of the resource. @@ -25435,34 +23380,33 @@ spec: description: Namespace specifies source resource namespace. type: string selector: - description: Selector is a label selector. Label keys - and values in `matchLabels`. wildcard characters are - not supported. + description: |- + Selector is a label selector. Label keys and values in `matchLabels`. + wildcard characters are not supported. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -25474,21 +23418,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object data: - description: Data provides the resource declaration used - to populate each generated resource. At most one of Data - or Clone must be specified. If neither are provided, the - generated resource will be created with default data only. + description: |- + Data provides the resource declaration used to populate each generated resource. + At most one of Data or Clone must be specified. If neither are provided, the generated + resource will be created with default data only. x-kubernetes-preserve-unknown-fields: true kind: description: Kind specifies resource kind. @@ -25500,12 +23442,11 @@ spec: description: Namespace specifies resource namespace. type: string synchronize: - description: Synchronize controls if generated resources - should be kept in-sync with their source resource. If - Synchronize is set to "true" changes to generated resources - will be overwritten with resource data from Data or the - resource specified in the Clone declaration. Optional. - Defaults to "false" if not specified. + description: |- + Synchronize controls if generated resources should be kept in-sync with their source resource. + If Synchronize is set to "true" changes to generated resources will be overwritten with resource + data from Data or the resource specified in the Clone declaration. + Optional. Defaults to "false" if not specified. type: boolean uid: description: UID specifies the resource uid. @@ -25516,50 +23457,47 @@ spec: items: properties: jmesPath: - description: 'JMESPath is an optional JMESPath expression - to apply to the image value. This is useful when the - extracted image begins with a prefix like ''docker://''. - The ''trim_prefix'' function may be used to trim the - prefix: trim_prefix(@, ''docker://''). Note - Image - digest mutation may not be used when applying a JMESPAth - to an image.' + description: |- + JMESPath is an optional JMESPath expression to apply to the image value. + This is useful when the extracted image begins with a prefix like 'docker://'. + The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://'). + Note - Image digest mutation may not be used when applying a JMESPAth to an image. type: string key: - description: Key is an optional name of the field within - 'path' that will be used to uniquely identify an image. + description: |- + Key is an optional name of the field within 'path' that will be used to uniquely identify an image. Note - this field MUST be unique. type: string name: - description: Name is the entry the image will be available - under 'images.' in the context. If this field - is not defined, image entries will appear under 'images.custom'. + description: |- + Name is the entry the image will be available under 'images.' in the context. + If this field is not defined, image entries will appear under 'images.custom'. type: string path: - description: Path is the path to the object containing - the image field in a custom resource. It should be - slash-separated. Each slash-separated key must be - a valid YAML key or a wildcard '*'. Wildcard keys - are expanded in case of arrays or objects. + description: |- + Path is the path to the object containing the image field in a custom resource. + It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'. + Wildcard keys are expanded in case of arrays or objects. type: string value: - description: Value is an optional name of the field - within 'path' that points to the image URI. This is - useful when a custom 'key' is also defined. + description: |- + Value is an optional name of the field within 'path' that points to the image URI. + This is useful when a custom 'key' is also defined. type: string required: - path type: object type: array - description: ImageExtractors defines a mapping from kinds to - ImageExtractorConfigs. This config is only valid for verifyImages - rules. + description: |- + ImageExtractors defines a mapping from kinds to ImageExtractorConfigs. + This config is only valid for verifyImages rules. type: object match: - description: MatchResources defines when this policy rule should - be applied. The match criteria can include resource information - (e.g. kind, name, namespace, labels) and admission review - request information like the user name or role. At least one - kind is required. + description: |- + MatchResources defines when this policy rule should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. + At least one kind is required. properties: all: description: All allows specifying resources which will @@ -25581,11 +23519,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -25593,58 +23530,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -25657,20 +23585,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -25690,42 +23615,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -25738,12 +23656,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -25758,32 +23674,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -25814,11 +23725,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -25826,58 +23736,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -25890,20 +23791,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -25923,42 +23821,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -25971,12 +23862,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -25991,32 +23880,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -26034,20 +23918,19 @@ spec: type: string type: array resources: - description: ResourceDescription contains information about - the resource being created or modified. Requires at least - one tag to be specified when under MatchResources. Specifying - ResourceDescription directly under match is being deprecated. + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. Please specify under "any" or "all" instead. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -26055,52 +23938,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -26112,19 +23992,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -26144,38 +24022,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -26187,12 +24062,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -26207,32 +24080,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -26258,15 +24127,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data @@ -26288,14 +24156,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -26310,25 +24176,24 @@ spec: JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate the server certificate. type: string url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -26346,8 +24211,8 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. properties: imageRegistryCredentials: @@ -26360,11 +24225,9 @@ spec: insecure access to a registry. type: boolean providers: - description: 'Providers specifies a - list of OCI Registry names, whose - authentication providers are provided. - It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -26378,23 +24241,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list - of secrets that are provided for credentials. + description: |- + Secrets specifies a list of secrets that are provided for credentials. Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -26407,15 +24270,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON @@ -26428,42 +24290,41 @@ spec: description: Foreach declares a nested foreach iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which the - validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string order: - description: Order defines the iteration order on - the list. Can be Ascending to iterate from first - to last element or Descending to iterate in from - last to first element. + description: |- + Order defines the iteration order on the list. + Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element. enum: - Ascending - Descending type: string patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge - patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 - JSON Patch declarations used to modify resources. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, all of the conditions need to - pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -26477,13 +24338,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -26503,20 +24362,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, at least one of the conditions - need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -26530,13 +24387,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -26556,10 +24411,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -26568,14 +24422,15 @@ spec: type: object type: array patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge patch - used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON - Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string targets: description: Targets defines the target resources to be @@ -26591,15 +24446,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data @@ -26621,14 +24475,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -26643,25 +24495,24 @@ spec: JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate the server certificate. type: string url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -26679,8 +24530,8 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. properties: imageRegistryCredentials: @@ -26693,11 +24544,9 @@ spec: insecure access to a registry. type: boolean providers: - description: 'Providers specifies a - list of OCI Registry names, whose - authentication providers are provided. - It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -26711,23 +24560,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list - of secrets that are provided for credentials. + description: |- + Secrets specifies a list of secrets that are provided for credentials. Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -26740,15 +24589,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON @@ -26767,13 +24615,12 @@ spec: description: Namespace specifies resource namespace. type: string preconditions: - description: 'Preconditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. A direct list - of conditions (without `any` or `all` statements - is supported for backwards compatibility but will - be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true uid: description: UID specifies the resource uid. @@ -26787,27 +24634,32 @@ spec: maxLength: 63 type: string preconditions: - description: 'Preconditions are used to determine if a policy - rule should be applied by evaluating a set of conditions. - The declaration can contain nested `any` or `all` statements. - A direct list of conditions (without `any` or `all` statements - is supported for backwards compatibility but will be deprecated - in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true skipBackgroundRequests: default: true - description: SkipBackgroundRequests bypasses admission requests - that are sent by the background controller. The default value - is set to "true", it must be set to "false" to apply generate - and mutateExisting rules to those requests. + description: |- + SkipBackgroundRequests bypasses admission requests that are sent by the background controller. + The default value is set to "true", it must be set to "false" to apply + generate and mutateExisting rules to those requests. type: boolean validate: description: Validation is used to validate matching resources. properties: + allowExistingViolations: + default: true + description: AllowExistingViolations allows prexisting violating + resources to continue violating a policy. + type: boolean anyPattern: - description: AnyPattern specifies list of validation patterns. - At least one of the patterns must be satisfied for the - validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true cel: description: CEL allows validation checks using the Common @@ -26822,39 +24674,45 @@ spec: an audit annotation for an API request. properties: key: - description: "key specifies the audit annotation - key. The audit annotation keys of a ValidatingAdmissionPolicy - must be unique. The key must be a qualified - name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than - 63 bytes in length. \n The key is combined with - the resource name of the ValidatingAdmissionPolicy - to construct an audit annotation key: \"{ValidatingAdmissionPolicy - name}/{key}\". \n If an admission webhook uses - the same resource name as this ValidatingAdmissionPolicy - and the same audit annotation key, the annotation - key will be identical. In this case, the first - annotation written with the key will be included - in the audit event and all subsequent annotations - with the same key will be discarded. \n Required." + description: |- + key specifies the audit annotation key. The audit annotation keys of + a ValidatingAdmissionPolicy must be unique. The key must be a qualified + name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length. + + + The key is combined with the resource name of the + ValidatingAdmissionPolicy to construct an audit annotation key: + "{ValidatingAdmissionPolicy name}/{key}". + + + If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy + and the same audit annotation key, the annotation key will be identical. + In this case, the first annotation written with the key will be included + in the audit event and all subsequent annotations with the same key + will be discarded. + + + Required. type: string valueExpression: - description: "valueExpression represents the expression - which is evaluated by CEL to produce an audit - annotation value. The expression must evaluate - to either a string or null value. If the expression - evaluates to a string, the audit annotation - is included with the string value. If the expression - evaluates to null or empty string the audit - annotation will be omitted. The valueExpression - may be no longer than 5kb in length. If the - result of the valueExpression is more than 10kb - in length, it will be truncated to 10kb. \n - If multiple ValidatingAdmissionPolicyBinding - resources match an API request, then the valueExpression - will be evaluated for each binding. All unique - values produced by the valueExpressions will - be joined together in a comma-separated list. - \n Required." + description: |- + valueExpression represents the expression which is evaluated by CEL to + produce an audit annotation value. The expression must evaluate to either + a string or null value. If the expression evaluates to a string, the + audit annotation is included with the string value. If the expression + evaluates to null or empty string the audit annotation will be omitted. + The valueExpression may be no longer than 5kb in length. + If the result of the valueExpression is more than 10kb in length, it + will be truncated to 10kb. + + + If multiple ValidatingAdmissionPolicyBinding resources match an + API request, then the valueExpression will be evaluated for + each binding. All unique values produced by the valueExpressions + will be joined together in a comma-separated list. + + + Required. type: string required: - key @@ -26870,113 +24728,99 @@ spec: properties: expression: description: "Expression represents the expression - which will be evaluated by CEL. ref: https://github.com/google/cel-spec - CEL expressions have access to the contents - of the API request/response, organized into - CEL variables as well as some other useful variables: - \n - 'object' - The object from the incoming - request. The value is null for DELETE requests. - - 'oldObject' - The existing object. The value - is null for CREATE requests. - 'request' - Attributes - of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - - 'params' - Parameter resource referred to - by the policy binding being evaluated. Only - populated if the policy has a ParamKind. - 'namespaceObject' + which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL + expressions have access to the contents of the + API request/response, organized into CEL variables + as well as some other useful variables:\n\n\n- + 'object' - The object from the incoming request. + The value is null for DELETE requests.\n- 'oldObject' + - The existing object. The value is null for + CREATE requests.\n- 'request' - Attributes of + the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- + 'params' - Parameter resource referred to by + the policy binding being evaluated. Only populated + if the policy has a ParamKind.\n- 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped - resources. - 'variables' - Map of composited + resources.\n- 'variables' - Map of composited variables, from its name to its lazily evaluated - value. For example, a variable named 'foo' can - be accessed as 'variables.foo'. - 'authorizer' + value.\n For example, a variable named 'foo' + can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) - of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - - 'authorizer.requestResource' - A CEL ResourceCheck + of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured - with the request resource. \n The `apiVersion`, + with the\n request resource.\n\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` - are always accessible from the root of the object. - No other metadata properties are accessible. - \n Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` - are accessible. Accessible property names are + are always accessible from the root of the\nobject. + No other metadata properties are accessible.\n\n\nOnly + property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` + are accessible.\nAccessible property names are escaped according to the following rules when - accessed in the expression: - '__' escapes to - '__underscores__' - '.' escapes to '__dot__' - - '-' escapes to '__dash__' - '/' escapes to - '__slash__' - Property names that exactly match + accessed in the expression:\n- '__' escapes + to '__underscores__'\n- '.' escapes to '__dot__'\n- + '-' escapes to '__dash__'\n- '/' escapes to + '__slash__'\n- Property names that exactly match a CEL RESERVED keyword escape to '__{keyword}__'. - The keywords are: \"true\", \"false\", \"null\", - \"in\", \"as\", \"break\", \"const\", \"continue\", - \"else\", \"for\", \"function\", \"if\", \"import\", - \"let\", \"loop\", \"package\", \"namespace\", - \"return\". Examples: - Expression accessing - a property named \"namespace\": {\"Expression\": - \"object.__namespace__ > 0\"} - Expression accessing - a property named \"x-prop\": {\"Expression\": - \"object.x__dash__prop > 0\"} - Expression accessing - a property named \"redact__d\": {\"Expression\": - \"object.redact__underscores__d > 0\"} \n Equality - on arrays with list type of 'set' or 'map' ignores - element order, i.e. [1, 2] == [2, 1]. Concatenation - on arrays with x-kubernetes-list-type use the - semantics of the list type: - 'set': `X + Y` - performs a union where the array positions of - all elements in `X` are preserved and non-intersecting + The keywords are:\n\t \"true\", \"false\", + \"null\", \"in\", \"as\", \"break\", \"const\", + \"continue\", \"else\", \"for\", \"function\", + \"if\",\n\t \"import\", \"let\", \"loop\", + \"package\", \"namespace\", \"return\".\nExamples:\n + \ - Expression accessing a property named \"namespace\": + {\"Expression\": \"object.__namespace__ > 0\"}\n + \ - Expression accessing a property named \"x-prop\": + {\"Expression\": \"object.x__dash__prop > 0\"}\n + \ - Expression accessing a property named \"redact__d\": + {\"Expression\": \"object.redact__underscores__d + > 0\"}\n\n\nEquality on arrays with list type + of 'set' or 'map' ignores element order, i.e. + [1, 2] == [2, 1].\nConcatenation on arrays with + x-kubernetes-list-type use the semantics of + the list type:\n - 'set': `X + Y` performs + a union where the array positions of all elements + in `X` are preserved and\n non-intersecting elements in `Y` are appended, retaining their - partial order. - 'map': `X + Y` performs a merge - where the array positions of all keys in `X` - are preserved but the values are overwritten - by values in `Y` when the key sets of `X` and - `Y` intersect. Elements in `Y` with non-intersecting - keys are appended, retaining their partial order. - Required." + partial order.\n - 'map': `X + Y` performs + a merge where the array positions of all keys + in `X` are preserved but the values\n are + overwritten by values in `Y` when the key sets + of `X` and `Y` intersect. Elements in `Y` with\n + \ non-intersecting keys are appended, retaining + their partial order.\nRequired." type: string message: - description: 'Message represents the message displayed - when validation fails. The message is required - if the Expression contains line breaks. The - message must not contain line breaks. If unset, - the message is "failed rule: {Rule}". e.g. "must - be a URL with the host matching spec.host" If - the Expression contains line breaks. Message - is required. The message must not contain line - breaks. If unset, the message is "failed Expression: - {Expression}".' + description: |- + Message represents the message displayed when validation fails. The message is required if the Expression contains + line breaks. The message must not contain line breaks. + If unset, the message is "failed rule: {Rule}". + e.g. "must be a URL with the host matching spec.host" + If the Expression contains line breaks. Message is required. + The message must not contain line breaks. + If unset, the message is "failed Expression: {Expression}". type: string messageExpression: - description: 'messageExpression declares a CEL - expression that evaluates to the validation - failure message that is returned when this rule - fails. Since messageExpression is used as a - failure message, it must evaluate to a string. - If both message and messageExpression are present - on a validation, then messageExpression will - be used if validation fails. If messageExpression - results in a runtime error, the runtime error - is logged, and the validation failure message - is produced as if the messageExpression field - were unset. If messageExpression evaluates to - an empty string, a string with only spaces, - or a string that contains line breaks, then - the validation failure message will also be - produced as if the messageExpression field were - unset, and the fact that messageExpression produced - an empty string/string with only spaces/string - with line breaks will be logged. messageExpression - has access to all the same variables as the - `expression` except for ''authorizer'' and ''authorizer.requestResource''. - Example: "object.x must be less than max ("+string(params.max)+")"' + description: |- + messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. + Since messageExpression is used as a failure message, it must evaluate to a string. + If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. + If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced + as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string + that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and + the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. + messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'. + Example: + "object.x must be less than max ("+string(params.max)+")" type: string reason: - description: 'Reason represents a machine-readable - description of why this validation failed. If - this is the first validation in the list to - fail, this reason, as well as the corresponding - HTTP response code, are used in the HTTP response - to the client. The currently supported reasons - are: "Unauthorized", "Forbidden", "Invalid", - "RequestEntityTooLarge". If not set, StatusReasonInvalid - is used in the response to the client.' + description: |- + Reason represents a machine-readable description of why this validation failed. + If this is the first validation in the list to fail, this reason, as well as the + corresponding HTTP response code, are used in the + HTTP response to the client. + The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge". + If not set, StatusReasonInvalid is used in the response to the client. type: string required: - expression @@ -26987,13 +24831,15 @@ spec: Version. properties: apiVersion: - description: APIVersion is the API group version - the resources belong to. In format of "group/version". + description: |- + APIVersion is the API group version the resources belong to. + In format of "group/version". Required. type: string kind: - description: Kind is the API kind the resources - belong to. Required. + description: |- + Kind is the API kind the resources belong to. + Required. type: string type: object x-kubernetes-map-type: atomic @@ -27001,77 +24847,82 @@ spec: description: ParamRef references a parameter resource. properties: name: - description: "`name` is the name of the resource - being referenced. \n `name` and `selector` are - mutually exclusive properties. If one is set, - the other must be unset." + description: |- + `name` is the name of the resource being referenced. + + + `name` and `selector` are mutually exclusive properties. If one is set, + the other must be unset. type: string namespace: - description: "namespace is the namespace of the - referenced resource. Allows limiting the search - for params to a specific namespace. Applies to - both `name` and `selector` fields. \n A per-namespace - parameter may be used by specifying a namespace-scoped - `paramKind` in the policy and leaving this field - empty. \n - If `paramKind` is cluster-scoped, - this field MUST be unset. Setting this field results - in a configuration error. \n - If `paramKind` - is namespace-scoped, the namespace of the object - being evaluated for admission will be used when - this field is left unset. Take care that if this - is left empty the binding must not match any cluster-scoped - resources, which will result in an error." + description: |- + namespace is the namespace of the referenced resource. Allows limiting + the search for params to a specific namespace. Applies to both `name` and + `selector` fields. + + + A per-namespace parameter may be used by specifying a namespace-scoped + `paramKind` in the policy and leaving this field empty. + + + - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this + field results in a configuration error. + + + - If `paramKind` is namespace-scoped, the namespace of the object being + evaluated for admission will be used when this field is left unset. Take + care that if this is left empty the binding must not match any cluster-scoped + resources, which will result in an error. type: string parameterNotFoundAction: - description: "`parameterNotFoundAction` controls - the behavior of the binding when the resource - exists, and name or selector is valid, but there - are no parameters matched by the binding. If the - value is set to `Allow`, then no matched parameters - will be treated as successful validation by the - binding. If set to `Deny`, then no matched parameters - will be subject to the `failurePolicy` of the - policy. \n Allowed values are `Allow` or `Deny` - Default to `Deny`" + description: |- + `parameterNotFoundAction` controls the behavior of the binding when the resource + exists, and name or selector is valid, but there are no parameters + matched by the binding. If the value is set to `Allow`, then no + matched parameters will be treated as successful validation by the binding. + If set to `Deny`, then no matched parameters will be subject to the + `failurePolicy` of the policy. + + + Allowed values are `Allow` or `Deny` + Default to `Deny` type: string selector: - description: "selector can be used to match multiple - param objects based on their labels. Supply selector: - {} to match all resources of the ParamKind. \n - If multiple params are found, they are all evaluated - with the policy expressions and the results are - ANDed together. \n One of `name` or `selector` - must be set, but `name` and `selector` are mutually - exclusive properties. If one is set, the other - must be unset." + description: |- + selector can be used to match multiple param objects based on their labels. + Supply selector: {} to match all resources of the ParamKind. + + + If multiple params are found, they are all evaluated with the policy expressions + and the results are ANDed together. + + + One of `name` or `selector` must be set, but `name` and `selector` are + mutually exclusive properties. If one is set, the other must be unset. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -27084,40 +24935,34 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object x-kubernetes-map-type: atomic variables: - description: Variables contain definitions of variables - that can be used in composition of other expressions. + description: |- + Variables contain definitions of variables that can be used in composition of other expressions. Each variable is defined as a named CEL expression. - The variables defined here will be available under - `variables` in other expressions of the policy. + The variables defined here will be available under `variables` in other expressions of the policy. items: description: Variable is the definition of a variable that is used for composition. properties: expression: - description: Expression is the expression that - will be evaluated as the value of the variable. - The CEL expression has access to the same identifiers - as the CEL expressions in Validation. + description: |- + Expression is the expression that will be evaluated as the value of the variable. + The CEL expression has access to the same identifiers as the CEL expressions in Validation. type: string name: - description: Name is the name of the variable. - The name must be a valid CEL identifier and - unique among all variables. The variable can - be accessed in other expressions through `variables` - For example, if name is "foo", the variable - will be available as `variables.foo` + description: |- + Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables. + The variable can be accessed in other expressions through `variables` + For example, if name is "foo", the variable will be available as `variables.foo` type: string required: - expression @@ -27130,11 +24975,11 @@ spec: a validation rule. properties: conditions: - description: 'Multiple conditions can be declared under - an `any` or `all` statement. A direct list of conditions - (without `any` or `all` statements) is also supported - for backwards compatibility but will be deprecated - in the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object foreach: @@ -27148,23 +24993,22 @@ spec: the specified logic. properties: anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must be satisfied - for the validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true context: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data @@ -27186,14 +25030,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -27208,25 +25050,24 @@ spec: JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate the server certificate. type: string url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -27244,8 +25085,8 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. properties: imageRegistryCredentials: @@ -27258,11 +25099,9 @@ spec: insecure access to a registry. type: boolean providers: - description: 'Providers specifies a - list of OCI Registry names, whose - authentication providers are provided. - It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -27276,23 +25115,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list - of secrets that are provided for credentials. + description: |- + Secrets specifies a list of secrets that are provided for credentials. Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -27305,15 +25144,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON @@ -27327,47 +25165,43 @@ spec: or fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct - list of conditions (without `any` or `all` statements) - is also supported for backwards compatibility + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object elementScope: - description: ElementScope specifies whether to use - the current list element as the scope for validation. - Defaults to "true" if not specified. When set to - "false", "request.object" is used as the validation - scope within the foreach block to allow referencing - other elements in the subtree. + description: |- + ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified. + When set to "false", "request.object" is used as the validation scope within the foreach + block to allow referencing other elements in the subtree. type: boolean foreach: description: Foreach declares a nested foreach iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which the - validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string pattern: description: Pattern specifies an overlay-style pattern used to check resources. x-kubernetes-preserve-unknown-fields: true preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, all of the conditions need to - pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -27381,13 +25215,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -27407,20 +25239,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, at least one of the conditions - need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -27434,13 +25264,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -27460,10 +25288,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -27485,31 +25312,25 @@ spec: items: properties: count: - description: Count specifies the required number - of entries that must match. If the count is - null, all entries must match (a logical AND). - If the count is 1, at least one entry must match - (a logical OR). If the count contains a value - N, then N must be less than or equal to the - size of entries, and at least N entries must - match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available attestors. - An attestor can be a static key, attributes - for keyless verification, or a nested attestor - declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for image - verification. Every specified key-value - pair must exist and match in the verified - payload. The payload may contain other - key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set of @@ -27530,19 +25351,14 @@ spec: to verify. type: string ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate Timestamps - (SCTs). If the value is unset, the - default behavior by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate - Timestamp (SCT) log to check for - a certificate timestamp. Default - is false. Set to true if this - was opted out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -27550,33 +25366,25 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the root - CA certificate. Optionally may - contain intermediate CA certificates, - and may contain the leaf TSA certificate - if not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use - for a custom Rekor. If set, this - will be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -27587,8 +25395,8 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: @@ -27599,19 +25407,14 @@ spec: signing. type: object ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate Timestamps - (SCTs). If the value is unset, the - default behavior by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate - Timestamp (SCT) log to check for - a certificate timestamp. Default - is false. Set to true if this - was opted out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -27619,14 +25422,10 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the root - CA certificate. Optionally may - contain intermediate CA certificates, - and may contain the leaf TSA certificate - if not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -27634,22 +25433,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use - for a custom Rekor. If set, this - will be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -27659,10 +25454,9 @@ spec: type: string type: object roots: - description: Roots is an optional set - of PEM encoded trusted root certificates. - If not provided, the system roots - are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -27675,19 +25469,14 @@ spec: public keys. properties: ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate Timestamps - (SCTs). If the value is unset, the - default behavior by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate - Timestamp (SCT) log to check for - a certificate timestamp. Default - is false. Set to true if this - was opted out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -27695,57 +25484,41 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the root - CA certificate. Optionally may - contain intermediate CA certificates, - and may contain the leaf TSA certificate - if not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI to - the public key stored in a Key Management - System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image signatures. - The keys can be directly specified - or can be a variable reference to - a key specified in a ConfigMap (see - https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster by - specifying it in the format "k8s:///". - The named Secret must specify a key - `cosign.pub` containing the public - key used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each - key is processed as a separate staticKey - entry (.attestors[*].entries.keys) - within the set of attestors and the - count is applied across the keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use - for a custom Rekor. If set, this - will be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -27779,12 +25552,9 @@ spec: type: string type: object repository: - description: Repository is an optional alternate - OCI repository to use for signatures and - attestations that match this rule. If - specified Repository will override other - OCI image repository locations for this - Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -27825,9 +25595,9 @@ spec: type: object type: array repository: - description: Repository is an optional alternate OCI - repository to use for resource bundle reference. The - repository can be overridden per Attestor or Attestation. + description: |- + Repository is an optional alternate OCI repository to use for resource bundle reference. + The repository can be overridden per Attestor or Attestation. type: string type: object message: @@ -27839,9 +25609,9 @@ spec: used to check resources. x-kubernetes-preserve-unknown-fields: true podSecurity: - description: PodSecurity applies exemptions for Kubernetes - Pod Security admission by specifying exclusions for Pod - Security Standards controls. + description: |- + PodSecurity applies exemptions for Kubernetes Pod Security admission + by specifying exclusions for Pod Security Standards controls. properties: exclude: description: Exclude specifies the Pod Security Standard @@ -27851,8 +25621,9 @@ spec: Security Standard controls to be excluded. properties: controlName: - description: 'ControlName specifies the name of - the Pod Security Standard control. See: https://kubernetes.io/docs/concepts/security/pod-security-standards/' + description: |- + ControlName specifies the name of the Pod Security Standard control. + See: https://kubernetes.io/docs/concepts/security/pod-security-standards/ enum: - HostProcess - Host Namespaces @@ -27871,13 +25642,11 @@ spec: - Running as Non-root user type: string images: - description: 'Images selects matching containers - and applies the container level PSS. Each image - is the image name consisting of the registry - address, repository, image, and tag. Empty list - matches no containers, PSS checks are applied - at the pod level only. Wildcards (''*'' and - ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' + description: |- + Images selects matching containers and applies the container level PSS. + Each image is the image name consisting of the registry address, repository, image, and tag. + Empty list matches no containers, PSS checks are applied at the pod level only. + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -27886,19 +25655,18 @@ spec: type: object type: array level: - description: Level defines the Pod Security Standard - level to be applied to workloads. Allowed values are - privileged, baseline, and restricted. + description: |- + Level defines the Pod Security Standard level to be applied to workloads. + Allowed values are privileged, baseline, and restricted. enum: - privileged - baseline - restricted type: string version: - description: Version defines the Pod Security Standard - versions that Kubernetes supports. Allowed values - are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, - v1.26, latest. Defaults to latest. + description: |- + Version defines the Pod Security Standard versions that Kubernetes supports. + Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, latest. Defaults to latest. enum: - v1.19 - v1.20 @@ -27916,10 +25684,10 @@ spec: description: VerifyImages is used to verify image signatures and mutate them to add a digest items: - description: ImageVerification validates that images that - match the specified pattern are signed with the supplied - public key. Once the image is verified it is mutated to - include the SHA digest retrieved during the registration. + description: |- + ImageVerification validates that images that match the specified pattern + are signed with the supplied public key. Once the image is verified it is + mutated to include the SHA digest retrieved during the registration. properties: additionalExtensions: additionalProperties: @@ -27933,16 +25701,15 @@ spec: instead. type: object attestations: - description: Attestations are optional checks for signed - in-toto Statements used to verify the image. See https://github.com/in-toto/attestation. - Kyverno fetches signed attestations from the OCI registry - and decodes them into a list of Statement declarations. + description: |- + Attestations are optional checks for signed in-toto Statements used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statement declarations. items: - description: Attestation are checks for signed in-toto - Statements that are used to verify the image. See - https://github.com/in-toto/attestation. Kyverno fetches - signed attestations from the OCI registry and decodes - them into a list of Statements. + description: |- + Attestation are checks for signed in-toto Statements that are used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statements. properties: attestors: description: Attestors specify the required attestors @@ -27950,31 +25717,25 @@ spec: items: properties: count: - description: Count specifies the required - number of entries that must match. If the - count is null, all entries must match (a - logical AND). If the count is 1, at least - one entry must match (a logical OR). If - the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or - a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set @@ -27995,21 +25756,14 @@ spec: used to verify. type: string ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -28017,36 +25771,25 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -28057,9 +25800,9 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless - attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: additionalProperties: @@ -28069,21 +25812,14 @@ spec: for keyless signing. type: object ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -28091,15 +25827,10 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -28107,24 +25838,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -28134,10 +25859,9 @@ spec: type: string type: object roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, - the system roots are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -28150,21 +25874,14 @@ spec: public keys. properties: ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -28172,63 +25889,41 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI - to the public key stored in a - Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable - reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -28264,37 +25959,30 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository - will override other OCI image repository - locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array type: object type: array conditions: - description: Conditions are used to verify attributes - within a Predicate. If no Conditions are specified - the attestation check is satisfied as long there - are predicates that match the predicate type. + description: |- + Conditions are used to verify attributes within a Predicate. If no Conditions are specified + the attestation check is satisfied as long there are predicates that match the predicate type. items: - description: AnyAllConditions consists of conditions - wrapped denoting a logical criteria to be fulfilled. - AnyConditions get fulfilled when at least one - of its sub-conditions passes. AllConditions - get fulfilled only when all of its sub-conditions - pass. + description: |- + AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled. + AnyConditions get fulfilled when at least one of its sub-conditions passes. + AllConditions get fulfilled only when all of its sub-conditions pass. properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -28309,14 +25997,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -28336,20 +26021,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -28364,14 +26047,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -28391,10 +26071,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -28416,29 +26095,25 @@ spec: items: properties: count: - description: Count specifies the required number - of entries that must match. If the count is null, - all entries must match (a logical AND). If the - count is 1, at least one entry must match (a logical - OR). If the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available attestors. - An attestor can be a static key, attributes for - keyless verification, or a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for image - verification. Every specified key-value - pair must exist and match in the verified - payload. The payload may contain other key-value - pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set of Attestor @@ -28459,19 +26134,14 @@ spec: to verify. type: string ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for validation - of Signed Certificate Timestamps (SCTs). - If the value is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate Timestamp - (SCT) log to check for a certificate - timestamp. Default is false. Set - to true if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is used @@ -28479,33 +26149,25 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate chain - file for the RFC3161 timestamp authority. - Must contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use for - a custom Rekor. If set, this will - be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address of @@ -28515,8 +26177,8 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: @@ -28527,19 +26189,14 @@ spec: signing. type: object ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for validation - of Signed Certificate Timestamps (SCTs). - If the value is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate Timestamp - (SCT) log to check for a certificate - timestamp. Default is false. Set - to true if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is used @@ -28547,14 +26204,10 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate chain - file for the RFC3161 timestamp authority. - Must contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -28562,22 +26215,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use for - a custom Rekor. If set, this will - be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address of @@ -28586,10 +26235,9 @@ spec: type: string type: object roots: - description: Roots is an optional set - of PEM encoded trusted root certificates. - If not provided, the system roots are - used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified identity @@ -28602,19 +26250,14 @@ spec: keys. properties: ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for validation - of Signed Certificate Timestamps (SCTs). - If the value is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate Timestamp - (SCT) log to check for a certificate - timestamp. Default is false. Set - to true if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is used @@ -28622,56 +26265,41 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate chain - file for the RFC3161 timestamp authority. - Must contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI to - the public key stored in a Key Management - System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 public - keys used to verify image signatures. - The keys can be directly specified or - can be a variable reference to a key - specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes Secret - elsewhere in the cluster by specifying - it in the format "k8s:///". - The named Secret must specify a key - `cosign.pub` containing the public key - used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each - key is processed as a separate staticKey - entry (.attestors[*].entries.keys) within - the set of attestors and the count is - applied across the keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use for - a custom Rekor. If set, this will - be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address of @@ -28704,11 +26332,9 @@ spec: type: string type: object repository: - description: Repository is an optional alternate - OCI repository to use for signatures and - attestations that match this rule. If specified - Repository will override other OCI image - repository locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -28718,13 +26344,11 @@ spec: description: Deprecated. Use ImageReferences instead. type: string imageReferences: - description: 'ImageReferences is a list of matching image - reference patterns. At least one pattern in the list - must match the image for the rule to apply. Each image - reference consists of a registry address (defaults to - docker.io), repository, image, and tag (defaults to - latest). Wildcards (''*'' and ''?'') are allowed. See: - https://kubernetes.io/docs/concepts/containers/images.' + description: |- + ImageReferences is a list of matching image reference patterns. At least one pattern in the + list must match the image for the rule to apply. Each image reference consists of a registry + address (defaults to docker.io), repository, image, and tag (defaults to latest). + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -28737,9 +26361,9 @@ spec: access to a registry. type: boolean providers: - description: 'Providers specifies a list of OCI Registry - names, whose authentication providers are provided. - It can be of one of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers required. @@ -28752,9 +26376,9 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets that - are provided for credentials. Secrets must live - in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array @@ -28767,16 +26391,15 @@ spec: type: string mutateDigest: default: true - description: MutateDigest enables replacement of image - tags with digests. Defaults to true. + description: |- + MutateDigest enables replacement of image tags with digests. + Defaults to true. type: boolean repository: - description: Repository is an optional alternate OCI repository - to use for image signatures and attestations that match - this rule. If specified Repository will override the - default OCI image repository configured for the installation. - The repository can also be overridden per Attestor or - Attestation. + description: |- + Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule. + If specified Repository will override the default OCI image repository configured for the installation. + The repository can also be overridden per Attestor or Attestation. type: string required: default: true @@ -28791,9 +26414,9 @@ spec: description: Deprecated. Use KeylessAttestor instead. type: string type: - description: Type specifies the method of signature validation. - The allowed options are Cosign and Notary. By default - Cosign is used if a type is not specified. + description: |- + Type specifies the method of signature validation. The allowed options + are Cosign and Notary. By default Cosign is used if a type is not specified. enum: - Cosign - Notary @@ -28815,23 +26438,23 @@ spec: type: object type: array schemaValidation: - description: SchemaValidation skips validation checks for policies - as well as patched resources. Optional. The default value is set - to "true", it must be set to "false" to disable the validation checks. + description: |- + SchemaValidation skips validation checks for policies as well as patched resources. + Optional. The default value is set to "true", it must be set to "false" to disable the validation checks. type: boolean useServerSideApply: - description: UseServerSideApply controls whether to use server-side - apply for generate rules If is set to "true" create & update for - generate rules will use apply instead of create/update. Defaults - to "false" if not specified. + description: |- + UseServerSideApply controls whether to use server-side apply for generate rules + If is set to "true" create & update for generate rules will use apply instead of create/update. + Defaults to "false" if not specified. type: boolean validationFailureAction: default: Audit - description: ValidationFailureAction defines if a validation policy - rule violation should block the admission review request (enforce), - or allow (audit) the admission review request and report an error - in a policy report. Optional. Allowed values are audit or enforce. - The default value is "Audit". + description: |- + ValidationFailureAction defines if a validation policy rule violation should block + the admission review request (enforce), or allow (audit) the admission review request + and report an error in a policy report. Optional. + Allowed values are audit or enforce. The default value is "Audit". enum: - audit - enforce @@ -28839,9 +26462,9 @@ spec: - Enforce type: string validationFailureActionOverrides: - description: ValidationFailureActionOverrides is a Cluster Policy - attribute that specifies ValidationFailureAction namespace-wise. - It overrides ValidationFailureAction for the specified namespaces. + description: |- + ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction + namespace-wise. It overrides ValidationFailureAction for the specified namespaces. items: properties: action: @@ -28854,34 +26477,34 @@ spec: - Enforce type: string namespaceSelector: - description: A label selector is a label query over a set of - resources. The result of matchLabels and matchExpressions - are ANDed. An empty label selector matches all objects. A - null label selector matches no objects. + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. - If the operator is In or NotIn, the values array - must be non-empty. If the operator is Exists or - DoesNotExist, the values array must be empty. This - array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -28893,11 +26516,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -28908,11 +26530,10 @@ spec: type: object type: array webhookTimeoutSeconds: - description: WebhookTimeoutSeconds specifies the maximum time in seconds - allowed to apply this policy. After the configured time expires, - the admission request may fail, or may simply ignore the policy - results, based on the failure policy. The default timeout is 10s, - the value must be between 1 and 30 seconds. + description: |- + WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. + After the configured time expires, the admission request may fail, or may simply ignore the policy results, + based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds. format: int32 type: integer type: object @@ -28927,51 +26548,49 @@ spec: description: Rules is a list of Rule instances. It contains auto generated rules added for pod controllers items: - description: Rule defines a validation, mutation, or generation - control for matching resources. Each rules contains a match - declaration to select resources, and an optional exclude declaration - to specify which resources to exclude. + description: |- + Rule defines a validation, mutation, or generation control for matching resources. + Each rules contains a match declaration to select resources, and an optional exclude + declaration to specify which resources to exclude. properties: celPreconditions: - description: CELPreconditions are used to determine if a - policy rule should be applied by evaluating a set of CEL - conditions. It can only be used with the validate.cel - subrule + description: |- + CELPreconditions are used to determine if a policy rule should be applied by evaluating a + set of CEL conditions. It can only be used with the validate.cel subrule items: description: MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook. properties: expression: - description: "Expression represents the expression - which will be evaluated by CEL. Must evaluate to - bool. CEL expressions have access to the contents - of the AdmissionRequest and Authorizer, organized - into CEL variables: \n 'object' - The object from - the incoming request. The value is null for DELETE - requests. 'oldObject' - The existing object. The - value is null for CREATE requests. 'request' - Attributes - of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). - 'authorizer' - A CEL Authorizer. May be used to - perform authorization checks for the principal (user - or service account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - 'authorizer.requestResource' - A CEL ResourceCheck - constructed from the 'authorizer' and configured - with the request resource. Documentation on CEL: - https://kubernetes.io/docs/reference/using-api/cel/ - \n Required." + description: |- + Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. + CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: + + + 'object' - The object from the incoming request. The value is null for DELETE requests. + 'oldObject' - The existing object. The value is null for CREATE requests. + 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. + See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the + request resource. + Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ + + + Required. type: string name: - description: "Name is an identifier for this match - condition, used for strategic merging of MatchConditions, - as well as providing an identifier for logging purposes. - A good name should be descriptive of the associated - expression. Name must be a qualified name consisting - of alphanumeric characters, '-', '_' or '.', and - must start and end with an alphanumeric character - (e.g. 'MyName', or 'my.name', or '123-abc', regex - used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') - with an optional DNS subdomain prefix and '/' (e.g. - 'example.com/MyName') \n Required." + description: |- + Name is an identifier for this match condition, used for strategic merging of MatchConditions, + as well as providing an identifier for logging purposes. A good name should be descriptive of + the associated expression. + Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and + must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or + '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an + optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') + + + Required. type: string required: - expression @@ -28982,15 +26601,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data sources - to a rule Context. Either a ConfigMap reference or a - APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the Kubernetes - API server, or other JSON web service. The data - returned is stored in the context with the name - for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data sent @@ -29012,13 +26630,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON Match - Expression that can be used to transform the - JSON response returned from the server. For - example a JMESPath of "items | length(@)" applied - to the API server response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across - all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -29033,23 +26650,24 @@ spec: web service properties: caBundle: - description: CABundle is a PEM encoded CA - bundle which will be used to validate the - server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web service URL. - A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to be used - in the HTTP GET or POST request to the Kubernetes - API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used - by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -29066,8 +26684,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests to an - OCI/Docker V2 registry to fetch image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials provides @@ -29079,10 +26698,9 @@ spec: insecure access to a registry. type: boolean providers: - description: 'Providers specifies a list of - OCI Registry names, whose authentication - providers are provided. It can be of one - of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers @@ -29096,23 +26714,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets - that are provided for credentials. Secrets - must live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON Match - Expression that can be used to transform the - ImageData struct returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference to - a container image in the registry. Example: - ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -29125,14 +26743,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take if the - JMESPath expression evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform the - variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON object @@ -29142,11 +26760,10 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when this policy rule - should not be applied. The exclude criteria can include - resource information (e.g. kind, name, namespace, labels) - and admission review request information like the name - or role. + description: |- + ExcludeResources defines when this policy rule should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. properties: all: description: All allows specifying resources which will @@ -29168,10 +26785,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -29180,60 +26796,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -29246,20 +26851,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -29280,44 +26882,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -29330,12 +26923,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -29350,36 +26941,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -29409,10 +26992,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -29421,60 +27003,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -29487,20 +27058,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -29521,44 +27089,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -29571,12 +27130,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -29591,36 +27148,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -29637,21 +27186,19 @@ spec: type: string type: array resources: - description: ResourceDescription contains information - about the resource being created or modified. Requires - at least one tag to be specified when under MatchResources. - Specifying ResourceDescription directly under match - is being deprecated. Please specify under "any" or - "all" instead. + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" - (matches zero or many characters) and "?" (matches - at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -29659,57 +27206,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated in - favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key and - value but does not match an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -29722,20 +27261,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -29755,42 +27291,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) - and `?` (matches one character). Wildcards allows - writing label selectors like ["storage.k8s.io/*": - "*"]. Note that using ["*" : "*"] matches any - key and value but does not match an empty label - set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -29803,12 +27332,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -29823,32 +27350,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or - a value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the - referenced subject. Defaults to "" for ServiceAccount - subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the - Authorizer should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -29864,11 +27387,10 @@ spec: description: APIVersion specifies resource apiVersion. type: string clone: - description: Clone specifies the source resource used - to populate each generated resource. At most one of - Data or Clone can be specified. If neither are provided, - the generated resource will be created with default - data only. + description: |- + Clone specifies the source resource used to populate each generated resource. + At most one of Data or Clone can be specified. If neither are provided, the generated + resource will be created with default data only. properties: name: description: Name specifies name of the resource. @@ -29892,37 +27414,33 @@ spec: namespace. type: string selector: - description: Selector is a label selector. Label - keys and values in `matchLabels`. wildcard characters - are not supported. + description: |- + Selector is a label selector. Label keys and values in `matchLabels`. + wildcard characters are not supported. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -29935,22 +27453,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object data: - description: Data provides the resource declaration - used to populate each generated resource. At most - one of Data or Clone must be specified. If neither - are provided, the generated resource will be created - with default data only. + description: |- + Data provides the resource declaration used to populate each generated resource. + At most one of Data or Clone must be specified. If neither are provided, the generated + resource will be created with default data only. x-kubernetes-preserve-unknown-fields: true kind: description: Kind specifies resource kind. @@ -29962,11 +27477,10 @@ spec: description: Namespace specifies resource namespace. type: string synchronize: - description: Synchronize controls if generated resources - should be kept in-sync with their source resource. - If Synchronize is set to "true" changes to generated - resources will be overwritten with resource data from - Data or the resource specified in the Clone declaration. + description: |- + Synchronize controls if generated resources should be kept in-sync with their source resource. + If Synchronize is set to "true" changes to generated resources will be overwritten with resource + data from Data or the resource specified in the Clone declaration. Optional. Defaults to "false" if not specified. type: boolean uid: @@ -29978,50 +27492,46 @@ spec: items: properties: jmesPath: - description: 'JMESPath is an optional JMESPath expression - to apply to the image value. This is useful when - the extracted image begins with a prefix like - ''docker://''. The ''trim_prefix'' function may - be used to trim the prefix: trim_prefix(@, ''docker://''). - Note - Image digest mutation may not be used when - applying a JMESPAth to an image.' + description: |- + JMESPath is an optional JMESPath expression to apply to the image value. + This is useful when the extracted image begins with a prefix like 'docker://'. + The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://'). + Note - Image digest mutation may not be used when applying a JMESPAth to an image. type: string key: - description: Key is an optional name of the field - within 'path' that will be used to uniquely identify - an image. Note - this field MUST be unique. + description: |- + Key is an optional name of the field within 'path' that will be used to uniquely identify an image. + Note - this field MUST be unique. type: string name: - description: Name is the entry the image will be - available under 'images.' in the context. - If this field is not defined, image entries will - appear under 'images.custom'. + description: |- + Name is the entry the image will be available under 'images.' in the context. + If this field is not defined, image entries will appear under 'images.custom'. type: string path: - description: Path is the path to the object containing - the image field in a custom resource. It should - be slash-separated. Each slash-separated key must - be a valid YAML key or a wildcard '*'. Wildcard - keys are expanded in case of arrays or objects. + description: |- + Path is the path to the object containing the image field in a custom resource. + It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'. + Wildcard keys are expanded in case of arrays or objects. type: string value: - description: Value is an optional name of the field - within 'path' that points to the image URI. This - is useful when a custom 'key' is also defined. + description: |- + Value is an optional name of the field within 'path' that points to the image URI. + This is useful when a custom 'key' is also defined. type: string required: - path type: object type: array - description: ImageExtractors defines a mapping from kinds - to ImageExtractorConfigs. This config is only valid for - verifyImages rules. + description: |- + ImageExtractors defines a mapping from kinds to ImageExtractorConfigs. + This config is only valid for verifyImages rules. type: object match: - description: MatchResources defines when this policy rule - should be applied. The match criteria can include resource - information (e.g. kind, name, namespace, labels) and admission - review request information like the user name or role. + description: |- + MatchResources defines when this policy rule should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. At least one kind is required. properties: all: @@ -30044,10 +27554,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -30056,60 +27565,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -30122,20 +27620,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -30156,44 +27651,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -30206,12 +27692,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -30226,36 +27710,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -30285,10 +27761,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -30297,60 +27772,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -30363,20 +27827,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -30397,44 +27858,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -30447,12 +27899,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -30467,36 +27917,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -30513,21 +27955,19 @@ spec: type: string type: array resources: - description: ResourceDescription contains information - about the resource being created or modified. Requires - at least one tag to be specified when under MatchResources. - Specifying ResourceDescription directly under match - is being deprecated. Please specify under "any" or - "all" instead. + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" - (matches zero or many characters) and "?" (matches - at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -30535,57 +27975,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated in - favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key and - value but does not match an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -30598,20 +28030,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -30631,42 +28060,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) - and `?` (matches one character). Wildcards allows - writing label selectors like ["storage.k8s.io/*": - "*"]. Note that using ["*" : "*"] matches any - key and value but does not match an empty label - set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -30679,12 +28101,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -30699,32 +28119,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or - a value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the - referenced subject. Defaults to "" for ServiceAccount - subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the - Authorizer should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -30751,16 +28167,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST @@ -30783,15 +28197,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -30806,25 +28217,23 @@ spec: to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web - service URL. A typical form is + description: |- + URL is the JSON web service URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string @@ -30844,9 +28253,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials @@ -30858,11 +28267,9 @@ spec: allows insecure access to a registry. type: boolean providers: - description: 'Providers specifies - a list of OCI Registry names, - whose authentication providers - are provided. It can be of one - of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -30876,25 +28283,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a - list of secrets that are provided - for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -30908,15 +28313,14 @@ spec: defined inline. properties: default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary @@ -30931,43 +28335,41 @@ spec: iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which - the validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string order: - description: Order defines the iteration order - on the list. Can be Ascending to iterate from - first to last element or Descending to iterate - in from last to first element. + description: |- + Order defines the iteration order on the list. + Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element. enum: - Ascending - Descending type: string patchStrategicMerge: - description: PatchStrategicMerge is a strategic - merge patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC - 6902 JSON Patch declarations used to modify - resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -30982,14 +28384,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -31009,20 +28408,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -31037,14 +28434,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -31064,10 +28458,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -31076,14 +28469,15 @@ spec: type: object type: array patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge - patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON - Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string targets: description: Targets defines the target resources to @@ -31099,16 +28493,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST @@ -31131,15 +28523,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -31154,25 +28543,23 @@ spec: to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web - service URL. A typical form is + description: |- + URL is the JSON web service URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string @@ -31192,9 +28579,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials @@ -31206,11 +28593,9 @@ spec: allows insecure access to a registry. type: boolean providers: - description: 'Providers specifies - a list of OCI Registry names, - whose authentication providers - are provided. It can be of one - of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -31224,25 +28609,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a - list of secrets that are provided - for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -31256,15 +28639,14 @@ spec: defined inline. properties: default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary @@ -31284,14 +28666,12 @@ spec: description: Namespace specifies resource namespace. type: string preconditions: - description: 'Preconditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. A direct list - of conditions (without `any` or `all` statements - is supported for backwards compatibility but + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/preconditions/' + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true uid: description: UID specifies the resource uid. @@ -31305,27 +28685,32 @@ spec: maxLength: 63 type: string preconditions: - description: 'Preconditions are used to determine if a policy - rule should be applied by evaluating a set of conditions. - The declaration can contain nested `any` or `all` statements. - A direct list of conditions (without `any` or `all` statements - is supported for backwards compatibility but will be deprecated - in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true skipBackgroundRequests: default: true - description: SkipBackgroundRequests bypasses admission requests - that are sent by the background controller. The default - value is set to "true", it must be set to "false" to apply + description: |- + SkipBackgroundRequests bypasses admission requests that are sent by the background controller. + The default value is set to "true", it must be set to "false" to apply generate and mutateExisting rules to those requests. type: boolean validate: description: Validation is used to validate matching resources. properties: + allowExistingViolations: + default: true + description: AllowExistingViolations allows prexisting + violating resources to continue violating a policy. + type: boolean anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must be satisfied - for the validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true cel: description: CEL allows validation checks using the @@ -31340,41 +28725,45 @@ spec: produce an audit annotation for an API request. properties: key: - description: "key specifies the audit annotation - key. The audit annotation keys of a ValidatingAdmissionPolicy - must be unique. The key must be a qualified - name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more - than 63 bytes in length. \n The key is combined - with the resource name of the ValidatingAdmissionPolicy - to construct an audit annotation key: \"{ValidatingAdmissionPolicy - name}/{key}\". \n If an admission webhook - uses the same resource name as this ValidatingAdmissionPolicy - and the same audit annotation key, the annotation - key will be identical. In this case, the - first annotation written with the key will - be included in the audit event and all subsequent - annotations with the same key will be discarded. - \n Required." + description: |- + key specifies the audit annotation key. The audit annotation keys of + a ValidatingAdmissionPolicy must be unique. The key must be a qualified + name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length. + + + The key is combined with the resource name of the + ValidatingAdmissionPolicy to construct an audit annotation key: + "{ValidatingAdmissionPolicy name}/{key}". + + + If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy + and the same audit annotation key, the annotation key will be identical. + In this case, the first annotation written with the key will be included + in the audit event and all subsequent annotations with the same key + will be discarded. + + + Required. type: string valueExpression: - description: "valueExpression represents the - expression which is evaluated by CEL to - produce an audit annotation value. The expression - must evaluate to either a string or null - value. If the expression evaluates to a - string, the audit annotation is included - with the string value. If the expression - evaluates to null or empty string the audit - annotation will be omitted. The valueExpression - may be no longer than 5kb in length. If - the result of the valueExpression is more - than 10kb in length, it will be truncated - to 10kb. \n If multiple ValidatingAdmissionPolicyBinding - resources match an API request, then the - valueExpression will be evaluated for each - binding. All unique values produced by the - valueExpressions will be joined together - in a comma-separated list. \n Required." + description: |- + valueExpression represents the expression which is evaluated by CEL to + produce an audit annotation value. The expression must evaluate to either + a string or null value. If the expression evaluates to a string, the + audit annotation is included with the string value. If the expression + evaluates to null or empty string the audit annotation will be omitted. + The valueExpression may be no longer than 5kb in length. + If the result of the valueExpression is more than 10kb in length, it + will be truncated to 10kb. + + + If multiple ValidatingAdmissionPolicyBinding resources match an + API request, then the valueExpression will be evaluated for + each binding. All unique values produced by the valueExpressions + will be joined together in a comma-separated list. + + + Required. type: string required: - key @@ -31390,124 +28779,104 @@ spec: properties: expression: description: "Expression represents the expression - which will be evaluated by CEL. ref: https://github.com/google/cel-spec - CEL expressions have access to the contents + which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL + expressions have access to the contents of the API request/response, organized into CEL variables as well as some other useful - variables: \n - 'object' - The object from - the incoming request. The value is null - for DELETE requests. - 'oldObject' - The - existing object. The value is null for CREATE - requests. - 'request' - Attributes of the - API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - - 'params' - Parameter resource referred - to by the policy binding being evaluated. - Only populated if the policy has a ParamKind. - - 'namespaceObject' - The namespace object + variables:\n\n\n- 'object' - The object + from the incoming request. The value is + null for DELETE requests.\n- 'oldObject' + - The existing object. The value is null + for CREATE requests.\n- 'request' - Attributes + of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- + 'params' - Parameter resource referred to + by the policy binding being evaluated. Only + populated if the policy has a ParamKind.\n- + 'namespaceObject' - The namespace object that the incoming object belongs to. The - value is null for cluster-scoped resources. - - 'variables' - Map of composited variables, - from its name to its lazily evaluated value. - For example, a variable named 'foo' can - be accessed as 'variables.foo'. - 'authorizer' + value is null for cluster-scoped resources.\n- + 'variables' - Map of composited variables, + from its name to its lazily evaluated value.\n + \ For example, a variable named 'foo' can + be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user - or service account) of the request. See - https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - - 'authorizer.requestResource' - A CEL ResourceCheck + or service account) of the request.\n See + https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured - with the request resource. \n The `apiVersion`, + with the\n request resource.\n\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` - are always accessible from the root of the - object. No other metadata properties are - accessible. \n Only property names of the - form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are - accessible. Accessible property names are - escaped according to the following rules - when accessed in the expression: - '__' - escapes to '__underscores__' - '.' escapes - to '__dot__' - '-' escapes to '__dash__' - - '/' escapes to '__slash__' - Property - names that exactly match a CEL RESERVED - keyword escape to '__{keyword}__'. The keywords - are: \"true\", \"false\", \"null\", \"in\", - \"as\", \"break\", \"const\", \"continue\", - \"else\", \"for\", \"function\", \"if\", - \"import\", \"let\", \"loop\", \"package\", - \"namespace\", \"return\". Examples: - Expression - accessing a property named \"namespace\": - {\"Expression\": \"object.__namespace__ - > 0\"} - Expression accessing a property + are always accessible from the root of the\nobject. + No other metadata properties are accessible.\n\n\nOnly + property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` + are accessible.\nAccessible property names + are escaped according to the following rules + when accessed in the expression:\n- '__' + escapes to '__underscores__'\n- '.' escapes + to '__dot__'\n- '-' escapes to '__dash__'\n- + '/' escapes to '__slash__'\n- Property names + that exactly match a CEL RESERVED keyword + escape to '__{keyword}__'. The keywords + are:\n\t \"true\", \"false\", \"null\", + \"in\", \"as\", \"break\", \"const\", \"continue\", + \"else\", \"for\", \"function\", \"if\",\n\t + \ \"import\", \"let\", \"loop\", \"package\", + \"namespace\", \"return\".\nExamples:\n + \ - Expression accessing a property named + \"namespace\": {\"Expression\": \"object.__namespace__ + > 0\"}\n - Expression accessing a property named \"x-prop\": {\"Expression\": \"object.x__dash__prop - > 0\"} - Expression accessing a property + > 0\"}\n - Expression accessing a property named \"redact__d\": {\"Expression\": \"object.redact__underscores__d - > 0\"} \n Equality on arrays with list type - of 'set' or 'map' ignores element order, - i.e. [1, 2] == [2, 1]. Concatenation on + > 0\"}\n\n\nEquality on arrays with list + type of 'set' or 'map' ignores element order, + i.e. [1, 2] == [2, 1].\nConcatenation on arrays with x-kubernetes-list-type use the - semantics of the list type: - 'set': `X - + Y` performs a union where the array positions - of all elements in `X` are preserved and - non-intersecting elements in `Y` are appended, - retaining their partial order. - 'map': - `X + Y` performs a merge where the array - positions of all keys in `X` are preserved - but the values are overwritten by values - in `Y` when the key sets of `X` and `Y` - intersect. Elements in `Y` with non-intersecting - keys are appended, retaining their partial - order. Required." + semantics of the list type:\n - 'set': + `X + Y` performs a union where the array + positions of all elements in `X` are preserved + and\n non-intersecting elements in `Y` + are appended, retaining their partial order.\n + \ - 'map': `X + Y` performs a merge where + the array positions of all keys in `X` are + preserved but the values\n are overwritten + by values in `Y` when the key sets of `X` + and `Y` intersect. Elements in `Y` with\n + \ non-intersecting keys are appended, + retaining their partial order.\nRequired." type: string message: - description: 'Message represents the message - displayed when validation fails. The message - is required if the Expression contains line - breaks. The message must not contain line - breaks. If unset, the message is "failed - rule: {Rule}". e.g. "must be a URL with - the host matching spec.host" If the Expression - contains line breaks. Message is required. + description: |- + Message represents the message displayed when validation fails. The message is required if the Expression contains + line breaks. The message must not contain line breaks. + If unset, the message is "failed rule: {Rule}". + e.g. "must be a URL with the host matching spec.host" + If the Expression contains line breaks. Message is required. The message must not contain line breaks. - If unset, the message is "failed Expression: - {Expression}".' + If unset, the message is "failed Expression: {Expression}". type: string messageExpression: - description: 'messageExpression declares a - CEL expression that evaluates to the validation - failure message that is returned when this - rule fails. Since messageExpression is used - as a failure message, it must evaluate to - a string. If both message and messageExpression - are present on a validation, then messageExpression - will be used if validation fails. If messageExpression - results in a runtime error, the runtime - error is logged, and the validation failure - message is produced as if the messageExpression - field were unset. If messageExpression evaluates - to an empty string, a string with only spaces, - or a string that contains line breaks, then - the validation failure message will also - be produced as if the messageExpression - field were unset, and the fact that messageExpression - produced an empty string/string with only - spaces/string with line breaks will be logged. - messageExpression has access to all the - same variables as the `expression` except - for ''authorizer'' and ''authorizer.requestResource''. - Example: "object.x must be less than max - ("+string(params.max)+")"' + description: |- + messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. + Since messageExpression is used as a failure message, it must evaluate to a string. + If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. + If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced + as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string + that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and + the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. + messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'. + Example: + "object.x must be less than max ("+string(params.max)+")" type: string reason: - description: 'Reason represents a machine-readable - description of why this validation failed. - If this is the first validation in the list - to fail, this reason, as well as the corresponding - HTTP response code, are used in the HTTP - response to the client. The currently supported - reasons are: "Unauthorized", "Forbidden", - "Invalid", "RequestEntityTooLarge". If not - set, StatusReasonInvalid is used in the - response to the client.' + description: |- + Reason represents a machine-readable description of why this validation failed. + If this is the first validation in the list to fail, this reason, as well as the + corresponding HTTP response code, are used in the + HTTP response to the client. + The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge". + If not set, StatusReasonInvalid is used in the response to the client. type: string required: - expression @@ -31518,13 +28887,15 @@ spec: and Version. properties: apiVersion: - description: APIVersion is the API group version - the resources belong to. In format of "group/version". + description: |- + APIVersion is the API group version the resources belong to. + In format of "group/version". Required. type: string kind: - description: Kind is the API kind the resources - belong to. Required. + description: |- + Kind is the API kind the resources belong to. + Required. type: string type: object x-kubernetes-map-type: atomic @@ -31532,82 +28903,83 @@ spec: description: ParamRef references a parameter resource. properties: name: - description: "`name` is the name of the resource - being referenced. \n `name` and `selector` - are mutually exclusive properties. If one - is set, the other must be unset." + description: |- + `name` is the name of the resource being referenced. + + + `name` and `selector` are mutually exclusive properties. If one is set, + the other must be unset. type: string namespace: - description: "namespace is the namespace of - the referenced resource. Allows limiting the - search for params to a specific namespace. - Applies to both `name` and `selector` fields. - \n A per-namespace parameter may be used by - specifying a namespace-scoped `paramKind` - in the policy and leaving this field empty. - \n - If `paramKind` is cluster-scoped, this - field MUST be unset. Setting this field results - in a configuration error. \n - If `paramKind` - is namespace-scoped, the namespace of the - object being evaluated for admission will - be used when this field is left unset. Take - care that if this is left empty the binding - must not match any cluster-scoped resources, - which will result in an error." + description: |- + namespace is the namespace of the referenced resource. Allows limiting + the search for params to a specific namespace. Applies to both `name` and + `selector` fields. + + + A per-namespace parameter may be used by specifying a namespace-scoped + `paramKind` in the policy and leaving this field empty. + + + - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this + field results in a configuration error. + + + - If `paramKind` is namespace-scoped, the namespace of the object being + evaluated for admission will be used when this field is left unset. Take + care that if this is left empty the binding must not match any cluster-scoped + resources, which will result in an error. type: string parameterNotFoundAction: - description: "`parameterNotFoundAction` controls - the behavior of the binding when the resource - exists, and name or selector is valid, but - there are no parameters matched by the binding. - If the value is set to `Allow`, then no matched - parameters will be treated as successful validation - by the binding. If set to `Deny`, then no - matched parameters will be subject to the - `failurePolicy` of the policy. \n Allowed - values are `Allow` or `Deny` Default to `Deny`" + description: |- + `parameterNotFoundAction` controls the behavior of the binding when the resource + exists, and name or selector is valid, but there are no parameters + matched by the binding. If the value is set to `Allow`, then no + matched parameters will be treated as successful validation by the binding. + If set to `Deny`, then no matched parameters will be subject to the + `failurePolicy` of the policy. + + + Allowed values are `Allow` or `Deny` + Default to `Deny` type: string selector: - description: "selector can be used to match - multiple param objects based on their labels. - Supply selector: {} to match all resources - of the ParamKind. \n If multiple params are - found, they are all evaluated with the policy - expressions and the results are ANDed together. - \n One of `name` or `selector` must be set, - but `name` and `selector` are mutually exclusive - properties. If one is set, the other must - be unset." + description: |- + selector can be used to match multiple param objects based on their labels. + Supply selector: {} to match all resources of the ParamKind. + + + If multiple params are found, they are all evaluated with the policy expressions + and the results are ANDed together. + + + One of `name` or `selector` must be set, but `name` and `selector` are + mutually exclusive properties. If one is set, the other must be unset. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -31619,41 +28991,34 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object x-kubernetes-map-type: atomic variables: - description: Variables contain definitions of variables - that can be used in composition of other expressions. + description: |- + Variables contain definitions of variables that can be used in composition of other expressions. Each variable is defined as a named CEL expression. - The variables defined here will be available under - `variables` in other expressions of the policy. + The variables defined here will be available under `variables` in other expressions of the policy. items: description: Variable is the definition of a variable that is used for composition. properties: expression: - description: Expression is the expression - that will be evaluated as the value of the - variable. The CEL expression has access - to the same identifiers as the CEL expressions - in Validation. + description: |- + Expression is the expression that will be evaluated as the value of the variable. + The CEL expression has access to the same identifiers as the CEL expressions in Validation. type: string name: - description: Name is the name of the variable. - The name must be a valid CEL identifier - and unique among all variables. The variable - can be accessed in other expressions through - `variables` For example, if name is "foo", - the variable will be available as `variables.foo` + description: |- + Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables. + The variable can be accessed in other expressions through `variables` + For example, if name is "foo", the variable will be available as `variables.foo` type: string required: - expression @@ -31666,12 +29031,11 @@ spec: fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct list - of conditions (without `any` or `all` statements) - is also supported for backwards compatibility + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object foreach: @@ -31686,24 +29050,22 @@ spec: apply the specified logic. properties: anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must - be satisfied for the validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true context: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST @@ -31726,15 +29088,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -31749,25 +29108,23 @@ spec: to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web - service URL. A typical form is + description: |- + URL is the JSON web service URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string @@ -31787,9 +29144,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials @@ -31801,11 +29158,9 @@ spec: allows insecure access to a registry. type: boolean providers: - description: 'Providers specifies - a list of OCI Registry names, - whose authentication providers - are provided. It can be of one - of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -31819,25 +29174,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a - list of secrets that are provided - for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -31851,15 +29204,14 @@ spec: defined inline. properties: default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary @@ -31874,48 +29226,44 @@ spec: or fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct - list of conditions (without `any` or `all` - statements) is also supported for backwards - compatibility but will be deprecated in - the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object elementScope: - description: ElementScope specifies whether to - use the current list element as the scope for - validation. Defaults to "true" if not specified. - When set to "false", "request.object" is used - as the validation scope within the foreach block - to allow referencing other elements in the subtree. + description: |- + ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified. + When set to "false", "request.object" is used as the validation scope within the foreach + block to allow referencing other elements in the subtree. type: boolean foreach: description: Foreach declares a nested foreach iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which - the validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string pattern: description: Pattern specifies an overlay-style pattern used to check resources. x-kubernetes-preserve-unknown-fields: true preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -31930,14 +29278,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -31957,20 +29302,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -31985,14 +29328,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -32012,10 +29352,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -32038,31 +29377,25 @@ spec: items: properties: count: - description: Count specifies the required - number of entries that must match. If the - count is null, all entries must match (a - logical AND). If the count is 1, at least - one entry must match (a logical OR). If - the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or - a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set @@ -32083,21 +29416,14 @@ spec: used to verify. type: string ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -32105,36 +29431,25 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -32145,9 +29460,9 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless - attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: additionalProperties: @@ -32157,21 +29472,14 @@ spec: for keyless signing. type: object ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -32179,15 +29487,10 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -32195,24 +29498,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -32222,10 +29519,9 @@ spec: type: string type: object roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, - the system roots are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -32238,21 +29534,14 @@ spec: public keys. properties: ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -32260,63 +29549,41 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI - to the public key stored in a - Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable - reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -32352,12 +29619,9 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository - will override other OCI image repository - locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -32398,10 +29662,9 @@ spec: type: object type: array repository: - description: Repository is an optional alternate - OCI repository to use for resource bundle reference. - The repository can be overridden per Attestor - or Attestation. + description: |- + Repository is an optional alternate OCI repository to use for resource bundle reference. + The repository can be overridden per Attestor or Attestation. type: string type: object message: @@ -32413,9 +29676,9 @@ spec: used to check resources. x-kubernetes-preserve-unknown-fields: true podSecurity: - description: PodSecurity applies exemptions for Kubernetes - Pod Security admission by specifying exclusions for - Pod Security Standards controls. + description: |- + PodSecurity applies exemptions for Kubernetes Pod Security admission + by specifying exclusions for Pod Security Standards controls. properties: exclude: description: Exclude specifies the Pod Security @@ -32425,9 +29688,9 @@ spec: Pod Security Standard controls to be excluded. properties: controlName: - description: 'ControlName specifies the name - of the Pod Security Standard control. See: - https://kubernetes.io/docs/concepts/security/pod-security-standards/' + description: |- + ControlName specifies the name of the Pod Security Standard control. + See: https://kubernetes.io/docs/concepts/security/pod-security-standards/ enum: - HostProcess - Host Namespaces @@ -32446,14 +29709,11 @@ spec: - Running as Non-root user type: string images: - description: 'Images selects matching containers - and applies the container level PSS. Each - image is the image name consisting of the - registry address, repository, image, and - tag. Empty list matches no containers, PSS - checks are applied at the pod level only. - Wildcards (''*'' and ''?'') are allowed. - See: https://kubernetes.io/docs/concepts/containers/images.' + description: |- + Images selects matching containers and applies the container level PSS. + Each image is the image name consisting of the registry address, repository, image, and tag. + Empty list matches no containers, PSS checks are applied at the pod level only. + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -32462,19 +29722,18 @@ spec: type: object type: array level: - description: Level defines the Pod Security Standard - level to be applied to workloads. Allowed values - are privileged, baseline, and restricted. + description: |- + Level defines the Pod Security Standard level to be applied to workloads. + Allowed values are privileged, baseline, and restricted. enum: - privileged - baseline - restricted type: string version: - description: Version defines the Pod Security Standard - versions that Kubernetes supports. Allowed values - are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, - v1.25, v1.26, latest. Defaults to latest. + description: |- + Version defines the Pod Security Standard versions that Kubernetes supports. + Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, latest. Defaults to latest. enum: - v1.19 - v1.20 @@ -32492,10 +29751,10 @@ spec: description: VerifyImages is used to verify image signatures and mutate them to add a digest items: - description: ImageVerification validates that images that - match the specified pattern are signed with the supplied - public key. Once the image is verified it is mutated - to include the SHA digest retrieved during the registration. + description: |- + ImageVerification validates that images that match the specified pattern + are signed with the supplied public key. Once the image is verified it is + mutated to include the SHA digest retrieved during the registration. properties: additionalExtensions: additionalProperties: @@ -32509,17 +29768,15 @@ spec: instead. type: object attestations: - description: Attestations are optional checks for - signed in-toto Statements used to verify the image. - See https://github.com/in-toto/attestation. Kyverno - fetches signed attestations from the OCI registry - and decodes them into a list of Statement declarations. + description: |- + Attestations are optional checks for signed in-toto Statements used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statement declarations. items: - description: Attestation are checks for signed in-toto - Statements that are used to verify the image. - See https://github.com/in-toto/attestation. Kyverno - fetches signed attestations from the OCI registry - and decodes them into a list of Statements. + description: |- + Attestation are checks for signed in-toto Statements that are used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statements. properties: attestors: description: Attestors specify the required @@ -32527,33 +29784,25 @@ spec: items: properties: count: - description: Count specifies the required - number of entries that must match. If - the count is null, all entries must - match (a logical AND). If the count - is 1, at least one entry must match - (a logical OR). If the count contains - a value N, then N must be less than - or equal to the size of entries, and - at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static - key, attributes for keyless verification, - or a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used - for image verification. Every - specified key-value pair must - exist and match in the verified - payload. The payload may contain - other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested @@ -32574,23 +29823,14 @@ spec: certificates used to verify. type: string ctlog: - description: CTLog (certificate - timestamp log) provides a - configuration for validation - of Signed Certificate Timestamps - (SCTs). If the value is unset, - the default behavior by Cosign - is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp - (SCT) log to check for - a certificate timestamp. - Default is false. Set - to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if @@ -32599,27 +29839,16 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, - if set, is the PEM-encoded - certificate chain file - for the RFC3161 timestamp - authority. Must contain - the root CA certificate. - Optionally may contain - intermediate CA certificates, - and may contain the leaf - TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If an empty object is provided - the public instance of Rekor - (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog @@ -32627,13 +29856,9 @@ spec: verification. type: boolean pubkey: - description: RekorPubKey - is an optional PEM-encoded - public key to use for - a custom Rekor. If set, - this will be used to validate - transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the @@ -32644,9 +29869,9 @@ spec: type: object type: object keyless: - description: Keyless is a set of - attribute used to verify a Sigstore - keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: additionalProperties: @@ -32656,23 +29881,14 @@ spec: used for keyless signing. type: object ctlog: - description: CTLog (certificate - timestamp log) provides a - configuration for validation - of Signed Certificate Timestamps - (SCTs). If the value is unset, - the default behavior by Cosign - is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp - (SCT) log to check for - a certificate timestamp. - Default is false. Set - to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if @@ -32681,17 +29897,10 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, - if set, is the PEM-encoded - certificate chain file - for the RFC3161 timestamp - authority. Must contain - the root CA certificate. - Optionally may contain - intermediate CA certificates, - and may contain the leaf - TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -32699,13 +29908,9 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If an empty object is provided - the public instance of Rekor - (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog @@ -32713,13 +29918,9 @@ spec: verification. type: boolean pubkey: - description: RekorPubKey - is an optional PEM-encoded - public key to use for - a custom Rekor. If set, - this will be used to validate - transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the @@ -32729,11 +29930,9 @@ spec: type: string type: object roots: - description: Roots is an optional - set of PEM encoded trusted - root certificates. If not - provided, the system roots - are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the @@ -32747,23 +29946,14 @@ spec: or more public keys. properties: ctlog: - description: CTLog (certificate - timestamp log) provides a - configuration for validation - of Signed Certificate Timestamps - (SCTs). If the value is unset, - the default behavior by Cosign - is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp - (SCT) log to check for - a certificate timestamp. - Default is false. Set - to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if @@ -32772,56 +29962,32 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, - if set, is the PEM-encoded - certificate chain file - for the RFC3161 timestamp - authority. Must contain - the root CA certificate. - Optionally may contain - intermediate CA certificates, - and may contain the leaf - TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the - URI to the public key stored - in a Key Management System. - See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of - X.509 public keys used to - verify image signatures. The - keys can be directly specified - or can be a variable reference - to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a - separate staticKey entry (.attestors[*].entries.keys) - within the set of attestors - and the count is applied across - the keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If an empty object is provided - the public instance of Rekor - (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog @@ -32829,13 +29995,9 @@ spec: verification. type: boolean pubkey: - description: RekorPubKey - is an optional PEM-encoded - public key to use for - a custom Rekor. If set, - this will be used to validate - transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the @@ -32872,40 +30034,30 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use - for signatures and attestations - that match this rule. If specified - Repository will override other - OCI image repository locations - for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array type: object type: array conditions: - description: Conditions are used to verify attributes - within a Predicate. If no Conditions are specified - the attestation check is satisfied as long - there are predicates that match the predicate - type. + description: |- + Conditions are used to verify attributes within a Predicate. If no Conditions are specified + the attestation check is satisfied as long there are predicates that match the predicate type. items: - description: AnyAllConditions consists of - conditions wrapped denoting a logical criteria - to be fulfilled. AnyConditions get fulfilled - when at least one of its sub-conditions - passes. AllConditions get fulfilled only - when all of its sub-conditions pass. + description: |- + AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled. + AnyConditions get fulfilled when at least one of its sub-conditions passes. + AllConditions get fulfilled only when all of its sub-conditions pass. properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is - useful for finer control of when an - rule is applied. A condition can reference - object data using JMESPath notation. - Here, all of the conditions need to - pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -32920,14 +30072,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -32947,21 +30096,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is - useful for finer control of when an - rule is applied. A condition can reference - object data using JMESPath notation. - Here, at least one of the conditions - need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -32976,14 +30122,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -33003,10 +30146,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -33028,31 +30170,25 @@ spec: items: properties: count: - description: Count specifies the required number - of entries that must match. If the count is - null, all entries must match (a logical AND). - If the count is 1, at least one entry must - match (a logical OR). If the count contains - a value N, then N must be less than or equal - to the size of entries, and at least N entries - must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or a - nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set @@ -33073,21 +30209,14 @@ spec: used to verify. type: string ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior by - Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed Certificate - Timestamp (SCT) log to check - for a certificate timestamp. - Default is false. Set to true - if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -33095,35 +30224,25 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the - root CA certificate. Optionally - may contain intermediate CA - certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an - optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used to - validate transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -33134,8 +30253,8 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: @@ -33146,21 +30265,14 @@ spec: for keyless signing. type: object ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior by - Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed Certificate - Timestamp (SCT) log to check - for a certificate timestamp. - Default is false. Set to true - if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -33168,15 +30280,10 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the - root CA certificate. Optionally - may contain intermediate CA - certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -33184,23 +30291,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an - optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used to - validate transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -33210,10 +30312,9 @@ spec: type: string type: object roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, the - system roots are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -33226,21 +30327,14 @@ spec: public keys. properties: ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior by - Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed Certificate - Timestamp (SCT) log to check - for a certificate timestamp. - Default is false. Set to true - if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -33248,61 +30342,41 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the - root CA certificate. Optionally - may contain intermediate CA - certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI - to the public key stored in a Key - Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable reference - to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format "k8s:///". - The named Secret must specify a - key `cosign.pub` containing the - public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an - optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used to - validate transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -33337,12 +30411,9 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository will - override other OCI image repository - locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -33352,13 +30423,11 @@ spec: description: Deprecated. Use ImageReferences instead. type: string imageReferences: - description: 'ImageReferences is a list of matching - image reference patterns. At least one pattern in - the list must match the image for the rule to apply. - Each image reference consists of a registry address - (defaults to docker.io), repository, image, and - tag (defaults to latest). Wildcards (''*'' and ''?'') - are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' + description: |- + ImageReferences is a list of matching image reference patterns. At least one pattern in the + list must match the image for the rule to apply. Each image reference consists of a registry + address (defaults to docker.io), repository, image, and tag (defaults to latest). + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -33371,10 +30440,9 @@ spec: access to a registry. type: boolean providers: - description: 'Providers specifies a list of OCI - Registry names, whose authentication providers - are provided. It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers @@ -33388,9 +30456,9 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets - that are provided for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array @@ -33403,16 +30471,15 @@ spec: type: string mutateDigest: default: true - description: MutateDigest enables replacement of image - tags with digests. Defaults to true. + description: |- + MutateDigest enables replacement of image tags with digests. + Defaults to true. type: boolean repository: - description: Repository is an optional alternate OCI - repository to use for image signatures and attestations - that match this rule. If specified Repository will - override the default OCI image repository configured - for the installation. The repository can also be - overridden per Attestor or Attestation. + description: |- + Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule. + If specified Repository will override the default OCI image repository configured for the installation. + The repository can also be overridden per Attestor or Attestation. type: string required: default: true @@ -33427,9 +30494,9 @@ spec: description: Deprecated. Use KeylessAttestor instead. type: string type: - description: Type specifies the method of signature - validation. The allowed options are Cosign and Notary. - By default Cosign is used if a type is not specified. + description: |- + Type specifies the method of signature validation. The allowed options + are Cosign and Notary. By default Cosign is used if a type is not specified. enum: - Cosign - Notary @@ -33454,42 +30521,42 @@ spec: conditions: items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -33503,11 +30570,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -33523,8 +30591,9 @@ spec: description: Deprecated in favor of Conditions type: boolean rulecount: - description: RuleCountStatus contains four variables which describes - counts for validate, generate, mutate and verify images rules + description: |- + RuleCountStatus contains four variables which describes counts for + validate, generate, mutate and verify images rules properties: generate: description: Count for generate rules in policy @@ -33552,10 +30621,9 @@ spec: policy is generated from the policy or not type: boolean message: - description: Message is a human readable message indicating details - about the generation of validating admission policy It is an - empty string when validating admission policy is successfully - generated. + description: |- + Message is a human readable message indicating details about the generation of validating admission policy + It is an empty string when validating admission policy is successfully generated. type: string required: - generated @@ -33613,19 +30681,24 @@ spec: name: v2beta1 schema: openAPIV3Schema: - description: 'Policy declares validation, mutation, and generation behaviors - for matching resources. See: https://kyverno.io/docs/writing-policies/ for - more information.' + description: |- + Policy declares validation, mutation, and generation behaviors for matching resources. + See: https://kyverno.io/docs/writing-policies/ for more information. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -33634,94 +30707,98 @@ spec: properties: admission: default: true - description: Admission controls if rules are applied during admission. + description: |- + Admission controls if rules are applied during admission. Optional. Default value is "true". type: boolean applyRules: - description: ApplyRules controls how rules in a policy are applied. - Rule are processed in the order of declaration. When set to `One` - processing stops after a rule has been applied i.e. the rule matches - and results in a pass, fail, or error. When set to `All` all rules - in the policy are processed. The default is `All`. + description: |- + ApplyRules controls how rules in a policy are applied. Rule are processed in + the order of declaration. When set to `One` processing stops after a rule has + been applied i.e. the rule matches and results in a pass, fail, or error. When + set to `All` all rules in the policy are processed. The default is `All`. enum: - All - One type: string background: default: true - description: Background controls if rules are applied to existing - resources during a background scan. Optional. Default value is "true". - The value must be set to "false" if the policy rule uses variables - that are only available in the admission review request (e.g. user - name). + description: |- + Background controls if rules are applied to existing resources during a background scan. + Optional. Default value is "true". The value must be set to "false" if the policy rule + uses variables that are only available in the admission review request (e.g. user name). type: boolean failurePolicy: - description: FailurePolicy defines how unexpected policy errors and - webhook response timeout errors are handled. Rules within the same - policy share the same failure behavior. Allowed values are Ignore - or Fail. Defaults to Fail. + description: |- + FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. + Rules within the same policy share the same failure behavior. + Allowed values are Ignore or Fail. Defaults to Fail. enum: - Ignore - Fail type: string generateExisting: - description: GenerateExisting controls whether to trigger generate - rule in existing resources If is set to "true" generate rule will - be triggered and applied to existing matched resources. Defaults - to "false" if not specified. + description: |- + GenerateExisting controls whether to trigger generate rule in existing resources + If is set to "true" generate rule will be triggered and applied to existing matched resources. + Defaults to "false" if not specified. type: boolean generateExistingOnPolicyUpdate: description: Deprecated, use generateExisting instead type: boolean mutateExistingOnPolicyUpdate: - description: MutateExistingOnPolicyUpdate controls if a mutateExisting - policy is applied on policy events. Default value is "false". + description: |- + MutateExistingOnPolicyUpdate controls if a mutateExisting policy is applied on policy events. + Default value is "false". type: boolean rules: - description: Rules is a list of Rule instances. A Policy contains - multiple rules and each rule can validate, mutate, or generate resources. + description: |- + Rules is a list of Rule instances. A Policy contains multiple rules and + each rule can validate, mutate, or generate resources. items: - description: Rule defines a validation, mutation, or generation - control for matching resources. Each rules contains a match declaration - to select resources, and an optional exclude declaration to specify - which resources to exclude. + description: |- + Rule defines a validation, mutation, or generation control for matching resources. + Each rules contains a match declaration to select resources, and an optional exclude + declaration to specify which resources to exclude. properties: celPreconditions: - description: CELPreconditions are used to determine if a policy - rule should be applied by evaluating a set of CEL conditions. - It can only be used with the validate.cel subrule + description: |- + CELPreconditions are used to determine if a policy rule should be applied by evaluating a + set of CEL conditions. It can only be used with the validate.cel subrule items: description: MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook. properties: expression: - description: "Expression represents the expression which - will be evaluated by CEL. Must evaluate to bool. CEL - expressions have access to the contents of the AdmissionRequest - and Authorizer, organized into CEL variables: \n 'object' - - The object from the incoming request. The value is - null for DELETE requests. 'oldObject' - The existing - object. The value is null for CREATE requests. 'request' - - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). - 'authorizer' - A CEL Authorizer. May be used to perform - authorization checks for the principal (user or service - account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - 'authorizer.requestResource' - A CEL ResourceCheck constructed - from the 'authorizer' and configured with the request - resource. Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ - \n Required." + description: |- + Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. + CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: + + + 'object' - The object from the incoming request. The value is null for DELETE requests. + 'oldObject' - The existing object. The value is null for CREATE requests. + 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. + See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the + request resource. + Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ + + + Required. type: string name: - description: "Name is an identifier for this match condition, - used for strategic merging of MatchConditions, as well - as providing an identifier for logging purposes. A good - name should be descriptive of the associated expression. - Name must be a qualified name consisting of alphanumeric - characters, '-', '_' or '.', and must start and end - with an alphanumeric character (e.g. 'MyName', or 'my.name', - \ or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') - with an optional DNS subdomain prefix and '/' (e.g. - 'example.com/MyName') \n Required." + description: |- + Name is an identifier for this match condition, used for strategic merging of MatchConditions, + as well as providing an identifier for logging purposes. A good name should be descriptive of + the associated expression. + Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and + must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or + '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an + optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') + + + Required. type: string required: - expression @@ -33732,15 +30809,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data sources - to a rule Context. Either a ConfigMap reference or a APILookup - must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the Kubernetes - API server, or other JSON web service. The data returned - is stored in the context with the name for the context - entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data sent to @@ -33762,13 +30838,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the JSON response - returned from the server. For example a JMESPath - of "items | length(@)" applied to the API server - response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across - all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -33783,22 +30858,24 @@ spec: service properties: caBundle: - description: CABundle is a PEM encoded CA bundle - which will be used to validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web service URL. - A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to be used in - the HTTP GET or POST request to the Kubernetes API - server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used by the - `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -33815,8 +30892,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests to an OCI/Docker - V2 registry to fetch image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials provides credentials @@ -33827,10 +30905,9 @@ spec: access to a registry. type: boolean providers: - description: 'Providers specifies a list of OCI - Registry names, whose authentication providers - are provided. It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers @@ -33844,21 +30921,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets - that are provided for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the ImageData struct - returned as a result of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference to a container - image in the registry. Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -33871,13 +30950,14 @@ spec: variable that can be defined inline. properties: default: - description: Default is an optional arbitrary JSON - object that the variable may take if the JMESPath + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath Expression - that can be used to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON object representable @@ -33887,10 +30967,10 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when this policy rule - should not be applied. The exclude criteria can include resource - information (e.g. kind, name, namespace, labels) and admission - review request information like the name or role. + description: |- + ExcludeResources defines when this policy rule should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. properties: all: description: All allows specifying resources which will @@ -33912,11 +30992,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -33924,58 +31003,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -33988,20 +31058,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -34021,42 +31088,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -34069,12 +31129,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -34089,32 +31147,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -34145,11 +31198,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -34157,58 +31209,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -34221,20 +31264,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -34254,42 +31294,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -34302,12 +31335,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -34322,32 +31353,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -34366,10 +31392,10 @@ spec: description: APIVersion specifies resource apiVersion. type: string clone: - description: Clone specifies the source resource used to - populate each generated resource. At most one of Data - or Clone can be specified. If neither are provided, the - generated resource will be created with default data only. + description: |- + Clone specifies the source resource used to populate each generated resource. + At most one of Data or Clone can be specified. If neither are provided, the generated + resource will be created with default data only. properties: name: description: Name specifies name of the resource. @@ -34391,34 +31417,33 @@ spec: description: Namespace specifies source resource namespace. type: string selector: - description: Selector is a label selector. Label keys - and values in `matchLabels`. wildcard characters are - not supported. + description: |- + Selector is a label selector. Label keys and values in `matchLabels`. + wildcard characters are not supported. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -34430,21 +31455,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object data: - description: Data provides the resource declaration used - to populate each generated resource. At most one of Data - or Clone must be specified. If neither are provided, the - generated resource will be created with default data only. + description: |- + Data provides the resource declaration used to populate each generated resource. + At most one of Data or Clone must be specified. If neither are provided, the generated + resource will be created with default data only. x-kubernetes-preserve-unknown-fields: true kind: description: Kind specifies resource kind. @@ -34456,12 +31479,11 @@ spec: description: Namespace specifies resource namespace. type: string synchronize: - description: Synchronize controls if generated resources - should be kept in-sync with their source resource. If - Synchronize is set to "true" changes to generated resources - will be overwritten with resource data from Data or the - resource specified in the Clone declaration. Optional. - Defaults to "false" if not specified. + description: |- + Synchronize controls if generated resources should be kept in-sync with their source resource. + If Synchronize is set to "true" changes to generated resources will be overwritten with resource + data from Data or the resource specified in the Clone declaration. + Optional. Defaults to "false" if not specified. type: boolean uid: description: UID specifies the resource uid. @@ -34472,50 +31494,47 @@ spec: items: properties: jmesPath: - description: 'JMESPath is an optional JMESPath expression - to apply to the image value. This is useful when the - extracted image begins with a prefix like ''docker://''. - The ''trim_prefix'' function may be used to trim the - prefix: trim_prefix(@, ''docker://''). Note - Image - digest mutation may not be used when applying a JMESPAth - to an image.' + description: |- + JMESPath is an optional JMESPath expression to apply to the image value. + This is useful when the extracted image begins with a prefix like 'docker://'. + The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://'). + Note - Image digest mutation may not be used when applying a JMESPAth to an image. type: string key: - description: Key is an optional name of the field within - 'path' that will be used to uniquely identify an image. + description: |- + Key is an optional name of the field within 'path' that will be used to uniquely identify an image. Note - this field MUST be unique. type: string name: - description: Name is the entry the image will be available - under 'images.' in the context. If this field - is not defined, image entries will appear under 'images.custom'. + description: |- + Name is the entry the image will be available under 'images.' in the context. + If this field is not defined, image entries will appear under 'images.custom'. type: string path: - description: Path is the path to the object containing - the image field in a custom resource. It should be - slash-separated. Each slash-separated key must be - a valid YAML key or a wildcard '*'. Wildcard keys - are expanded in case of arrays or objects. + description: |- + Path is the path to the object containing the image field in a custom resource. + It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'. + Wildcard keys are expanded in case of arrays or objects. type: string value: - description: Value is an optional name of the field - within 'path' that points to the image URI. This is - useful when a custom 'key' is also defined. + description: |- + Value is an optional name of the field within 'path' that points to the image URI. + This is useful when a custom 'key' is also defined. type: string required: - path type: object type: array - description: ImageExtractors defines a mapping from kinds to - ImageExtractorConfigs. This config is only valid for verifyImages - rules. + description: |- + ImageExtractors defines a mapping from kinds to ImageExtractorConfigs. + This config is only valid for verifyImages rules. type: object match: - description: MatchResources defines when this policy rule should - be applied. The match criteria can include resource information - (e.g. kind, name, namespace, labels) and admission review - request information like the user name or role. At least one - kind is required. + description: |- + MatchResources defines when this policy rule should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. + At least one kind is required. properties: all: description: All allows specifying resources which will @@ -34537,11 +31556,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -34549,58 +31567,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -34613,20 +31622,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -34646,42 +31652,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -34694,12 +31693,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -34714,32 +31711,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -34770,11 +31762,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -34782,58 +31773,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -34846,20 +31828,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -34879,42 +31858,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -34927,12 +31899,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -34947,32 +31917,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -35001,15 +31966,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data @@ -35031,14 +31995,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -35053,25 +32015,24 @@ spec: JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate the server certificate. type: string url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -35089,8 +32050,8 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. properties: imageRegistryCredentials: @@ -35103,11 +32064,9 @@ spec: insecure access to a registry. type: boolean providers: - description: 'Providers specifies a - list of OCI Registry names, whose - authentication providers are provided. - It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -35121,23 +32080,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list - of secrets that are provided for credentials. + description: |- + Secrets specifies a list of secrets that are provided for credentials. Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -35150,15 +32109,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON @@ -35171,42 +32129,41 @@ spec: description: Foreach declares a nested foreach iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which the - validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string order: - description: Order defines the iteration order on - the list. Can be Ascending to iterate from first - to last element or Descending to iterate in from - last to first element. + description: |- + Order defines the iteration order on the list. + Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element. enum: - Ascending - Descending type: string patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge - patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 - JSON Patch declarations used to modify resources. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, all of the conditions need to - pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -35220,13 +32177,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -35246,20 +32201,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, at least one of the conditions - need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -35273,13 +32226,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -35299,10 +32250,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -35311,14 +32261,15 @@ spec: type: object type: array patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge patch - used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON - Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string targets: description: Targets defines the target resources to be @@ -35334,15 +32285,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data @@ -35364,14 +32314,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -35386,25 +32334,24 @@ spec: JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate the server certificate. type: string url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -35422,8 +32369,8 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. properties: imageRegistryCredentials: @@ -35436,11 +32383,9 @@ spec: insecure access to a registry. type: boolean providers: - description: 'Providers specifies a - list of OCI Registry names, whose - authentication providers are provided. - It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -35454,23 +32399,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list - of secrets that are provided for credentials. + description: |- + Secrets specifies a list of secrets that are provided for credentials. Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -35483,15 +32428,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON @@ -35510,13 +32454,12 @@ spec: description: Namespace specifies resource namespace. type: string preconditions: - description: 'Preconditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. A direct list - of conditions (without `any` or `all` statements - is supported for backwards compatibility but will - be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true uid: description: UID specifies the resource uid. @@ -35530,17 +32473,17 @@ spec: maxLength: 63 type: string preconditions: - description: 'Preconditions are used to determine if a policy - rule should be applied by evaluating a set of conditions. - The declaration can contain nested `any` or `all` statements. - See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based conditional - rule execution. This is useful for finer control of when - an rule is applied. A condition can reference object data - using JMESPath notation. Here, all of the conditions need - to pass. + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass. items: properties: key: @@ -35551,11 +32494,11 @@ spec: description: Message is an optional display message type: string operator: - description: 'Operator is the conditional operation - to perform. Valid operators are: Equals, NotEquals, - In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -35573,18 +32516,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, or set - of values. The values can be fixed set or can be - variables declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based conditional - rule execution. This is useful for finer control of when - an rule is applied. A condition can reference object data - using JMESPath notation. Here, at least one of the conditions - need to pass. + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass. items: properties: key: @@ -35595,11 +32538,11 @@ spec: description: Message is an optional display message type: string operator: - description: 'Operator is the conditional operation - to perform. Valid operators are: Equals, NotEquals, - In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -35617,27 +32560,27 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, or set - of values. The values can be fixed set or can be - variables declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array type: object skipBackgroundRequests: default: true - description: SkipBackgroundRequests bypasses admission requests - that are sent by the background controller. The default value - is set to "true", it must be set to "false" to apply generate - and mutateExisting rules to those requests. + description: |- + SkipBackgroundRequests bypasses admission requests that are sent by the background controller. + The default value is set to "true", it must be set to "false" to apply + generate and mutateExisting rules to those requests. type: boolean validate: description: Validation is used to validate matching resources. properties: anyPattern: - description: AnyPattern specifies list of validation patterns. - At least one of the patterns must be satisfied for the - validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true cel: description: CEL allows validation checks using the Common @@ -35652,39 +32595,45 @@ spec: an audit annotation for an API request. properties: key: - description: "key specifies the audit annotation - key. The audit annotation keys of a ValidatingAdmissionPolicy - must be unique. The key must be a qualified - name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than - 63 bytes in length. \n The key is combined with - the resource name of the ValidatingAdmissionPolicy - to construct an audit annotation key: \"{ValidatingAdmissionPolicy - name}/{key}\". \n If an admission webhook uses - the same resource name as this ValidatingAdmissionPolicy - and the same audit annotation key, the annotation - key will be identical. In this case, the first - annotation written with the key will be included - in the audit event and all subsequent annotations - with the same key will be discarded. \n Required." + description: |- + key specifies the audit annotation key. The audit annotation keys of + a ValidatingAdmissionPolicy must be unique. The key must be a qualified + name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length. + + + The key is combined with the resource name of the + ValidatingAdmissionPolicy to construct an audit annotation key: + "{ValidatingAdmissionPolicy name}/{key}". + + + If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy + and the same audit annotation key, the annotation key will be identical. + In this case, the first annotation written with the key will be included + in the audit event and all subsequent annotations with the same key + will be discarded. + + + Required. type: string valueExpression: - description: "valueExpression represents the expression - which is evaluated by CEL to produce an audit - annotation value. The expression must evaluate - to either a string or null value. If the expression - evaluates to a string, the audit annotation - is included with the string value. If the expression - evaluates to null or empty string the audit - annotation will be omitted. The valueExpression - may be no longer than 5kb in length. If the - result of the valueExpression is more than 10kb - in length, it will be truncated to 10kb. \n - If multiple ValidatingAdmissionPolicyBinding - resources match an API request, then the valueExpression - will be evaluated for each binding. All unique - values produced by the valueExpressions will - be joined together in a comma-separated list. - \n Required." + description: |- + valueExpression represents the expression which is evaluated by CEL to + produce an audit annotation value. The expression must evaluate to either + a string or null value. If the expression evaluates to a string, the + audit annotation is included with the string value. If the expression + evaluates to null or empty string the audit annotation will be omitted. + The valueExpression may be no longer than 5kb in length. + If the result of the valueExpression is more than 10kb in length, it + will be truncated to 10kb. + + + If multiple ValidatingAdmissionPolicyBinding resources match an + API request, then the valueExpression will be evaluated for + each binding. All unique values produced by the valueExpressions + will be joined together in a comma-separated list. + + + Required. type: string required: - key @@ -35700,113 +32649,99 @@ spec: properties: expression: description: "Expression represents the expression - which will be evaluated by CEL. ref: https://github.com/google/cel-spec - CEL expressions have access to the contents - of the API request/response, organized into - CEL variables as well as some other useful variables: - \n - 'object' - The object from the incoming - request. The value is null for DELETE requests. - - 'oldObject' - The existing object. The value - is null for CREATE requests. - 'request' - Attributes - of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - - 'params' - Parameter resource referred to - by the policy binding being evaluated. Only - populated if the policy has a ParamKind. - 'namespaceObject' + which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL + expressions have access to the contents of the + API request/response, organized into CEL variables + as well as some other useful variables:\n\n\n- + 'object' - The object from the incoming request. + The value is null for DELETE requests.\n- 'oldObject' + - The existing object. The value is null for + CREATE requests.\n- 'request' - Attributes of + the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- + 'params' - Parameter resource referred to by + the policy binding being evaluated. Only populated + if the policy has a ParamKind.\n- 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped - resources. - 'variables' - Map of composited + resources.\n- 'variables' - Map of composited variables, from its name to its lazily evaluated - value. For example, a variable named 'foo' can - be accessed as 'variables.foo'. - 'authorizer' + value.\n For example, a variable named 'foo' + can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) - of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - - 'authorizer.requestResource' - A CEL ResourceCheck + of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured - with the request resource. \n The `apiVersion`, + with the\n request resource.\n\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` - are always accessible from the root of the object. - No other metadata properties are accessible. - \n Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` - are accessible. Accessible property names are + are always accessible from the root of the\nobject. + No other metadata properties are accessible.\n\n\nOnly + property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` + are accessible.\nAccessible property names are escaped according to the following rules when - accessed in the expression: - '__' escapes to - '__underscores__' - '.' escapes to '__dot__' - - '-' escapes to '__dash__' - '/' escapes to - '__slash__' - Property names that exactly match + accessed in the expression:\n- '__' escapes + to '__underscores__'\n- '.' escapes to '__dot__'\n- + '-' escapes to '__dash__'\n- '/' escapes to + '__slash__'\n- Property names that exactly match a CEL RESERVED keyword escape to '__{keyword}__'. - The keywords are: \"true\", \"false\", \"null\", - \"in\", \"as\", \"break\", \"const\", \"continue\", - \"else\", \"for\", \"function\", \"if\", \"import\", - \"let\", \"loop\", \"package\", \"namespace\", - \"return\". Examples: - Expression accessing - a property named \"namespace\": {\"Expression\": - \"object.__namespace__ > 0\"} - Expression accessing - a property named \"x-prop\": {\"Expression\": - \"object.x__dash__prop > 0\"} - Expression accessing - a property named \"redact__d\": {\"Expression\": - \"object.redact__underscores__d > 0\"} \n Equality - on arrays with list type of 'set' or 'map' ignores - element order, i.e. [1, 2] == [2, 1]. Concatenation - on arrays with x-kubernetes-list-type use the - semantics of the list type: - 'set': `X + Y` - performs a union where the array positions of - all elements in `X` are preserved and non-intersecting + The keywords are:\n\t \"true\", \"false\", + \"null\", \"in\", \"as\", \"break\", \"const\", + \"continue\", \"else\", \"for\", \"function\", + \"if\",\n\t \"import\", \"let\", \"loop\", + \"package\", \"namespace\", \"return\".\nExamples:\n + \ - Expression accessing a property named \"namespace\": + {\"Expression\": \"object.__namespace__ > 0\"}\n + \ - Expression accessing a property named \"x-prop\": + {\"Expression\": \"object.x__dash__prop > 0\"}\n + \ - Expression accessing a property named \"redact__d\": + {\"Expression\": \"object.redact__underscores__d + > 0\"}\n\n\nEquality on arrays with list type + of 'set' or 'map' ignores element order, i.e. + [1, 2] == [2, 1].\nConcatenation on arrays with + x-kubernetes-list-type use the semantics of + the list type:\n - 'set': `X + Y` performs + a union where the array positions of all elements + in `X` are preserved and\n non-intersecting elements in `Y` are appended, retaining their - partial order. - 'map': `X + Y` performs a merge - where the array positions of all keys in `X` - are preserved but the values are overwritten - by values in `Y` when the key sets of `X` and - `Y` intersect. Elements in `Y` with non-intersecting - keys are appended, retaining their partial order. - Required." + partial order.\n - 'map': `X + Y` performs + a merge where the array positions of all keys + in `X` are preserved but the values\n are + overwritten by values in `Y` when the key sets + of `X` and `Y` intersect. Elements in `Y` with\n + \ non-intersecting keys are appended, retaining + their partial order.\nRequired." type: string message: - description: 'Message represents the message displayed - when validation fails. The message is required - if the Expression contains line breaks. The - message must not contain line breaks. If unset, - the message is "failed rule: {Rule}". e.g. "must - be a URL with the host matching spec.host" If - the Expression contains line breaks. Message - is required. The message must not contain line - breaks. If unset, the message is "failed Expression: - {Expression}".' + description: |- + Message represents the message displayed when validation fails. The message is required if the Expression contains + line breaks. The message must not contain line breaks. + If unset, the message is "failed rule: {Rule}". + e.g. "must be a URL with the host matching spec.host" + If the Expression contains line breaks. Message is required. + The message must not contain line breaks. + If unset, the message is "failed Expression: {Expression}". type: string messageExpression: - description: 'messageExpression declares a CEL - expression that evaluates to the validation - failure message that is returned when this rule - fails. Since messageExpression is used as a - failure message, it must evaluate to a string. - If both message and messageExpression are present - on a validation, then messageExpression will - be used if validation fails. If messageExpression - results in a runtime error, the runtime error - is logged, and the validation failure message - is produced as if the messageExpression field - were unset. If messageExpression evaluates to - an empty string, a string with only spaces, - or a string that contains line breaks, then - the validation failure message will also be - produced as if the messageExpression field were - unset, and the fact that messageExpression produced - an empty string/string with only spaces/string - with line breaks will be logged. messageExpression - has access to all the same variables as the - `expression` except for ''authorizer'' and ''authorizer.requestResource''. - Example: "object.x must be less than max ("+string(params.max)+")"' + description: |- + messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. + Since messageExpression is used as a failure message, it must evaluate to a string. + If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. + If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced + as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string + that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and + the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. + messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'. + Example: + "object.x must be less than max ("+string(params.max)+")" type: string reason: - description: 'Reason represents a machine-readable - description of why this validation failed. If - this is the first validation in the list to - fail, this reason, as well as the corresponding - HTTP response code, are used in the HTTP response - to the client. The currently supported reasons - are: "Unauthorized", "Forbidden", "Invalid", - "RequestEntityTooLarge". If not set, StatusReasonInvalid - is used in the response to the client.' + description: |- + Reason represents a machine-readable description of why this validation failed. + If this is the first validation in the list to fail, this reason, as well as the + corresponding HTTP response code, are used in the + HTTP response to the client. + The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge". + If not set, StatusReasonInvalid is used in the response to the client. type: string required: - expression @@ -35817,13 +32752,15 @@ spec: Version. properties: apiVersion: - description: APIVersion is the API group version - the resources belong to. In format of "group/version". + description: |- + APIVersion is the API group version the resources belong to. + In format of "group/version". Required. type: string kind: - description: Kind is the API kind the resources - belong to. Required. + description: |- + Kind is the API kind the resources belong to. + Required. type: string type: object x-kubernetes-map-type: atomic @@ -35831,77 +32768,82 @@ spec: description: ParamRef references a parameter resource. properties: name: - description: "`name` is the name of the resource - being referenced. \n `name` and `selector` are - mutually exclusive properties. If one is set, - the other must be unset." + description: |- + `name` is the name of the resource being referenced. + + + `name` and `selector` are mutually exclusive properties. If one is set, + the other must be unset. type: string namespace: - description: "namespace is the namespace of the - referenced resource. Allows limiting the search - for params to a specific namespace. Applies to - both `name` and `selector` fields. \n A per-namespace - parameter may be used by specifying a namespace-scoped - `paramKind` in the policy and leaving this field - empty. \n - If `paramKind` is cluster-scoped, - this field MUST be unset. Setting this field results - in a configuration error. \n - If `paramKind` - is namespace-scoped, the namespace of the object - being evaluated for admission will be used when - this field is left unset. Take care that if this - is left empty the binding must not match any cluster-scoped - resources, which will result in an error." + description: |- + namespace is the namespace of the referenced resource. Allows limiting + the search for params to a specific namespace. Applies to both `name` and + `selector` fields. + + + A per-namespace parameter may be used by specifying a namespace-scoped + `paramKind` in the policy and leaving this field empty. + + + - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this + field results in a configuration error. + + + - If `paramKind` is namespace-scoped, the namespace of the object being + evaluated for admission will be used when this field is left unset. Take + care that if this is left empty the binding must not match any cluster-scoped + resources, which will result in an error. type: string parameterNotFoundAction: - description: "`parameterNotFoundAction` controls - the behavior of the binding when the resource - exists, and name or selector is valid, but there - are no parameters matched by the binding. If the - value is set to `Allow`, then no matched parameters - will be treated as successful validation by the - binding. If set to `Deny`, then no matched parameters - will be subject to the `failurePolicy` of the - policy. \n Allowed values are `Allow` or `Deny` - Default to `Deny`" + description: |- + `parameterNotFoundAction` controls the behavior of the binding when the resource + exists, and name or selector is valid, but there are no parameters + matched by the binding. If the value is set to `Allow`, then no + matched parameters will be treated as successful validation by the binding. + If set to `Deny`, then no matched parameters will be subject to the + `failurePolicy` of the policy. + + + Allowed values are `Allow` or `Deny` + Default to `Deny` type: string selector: - description: "selector can be used to match multiple - param objects based on their labels. Supply selector: - {} to match all resources of the ParamKind. \n - If multiple params are found, they are all evaluated - with the policy expressions and the results are - ANDed together. \n One of `name` or `selector` - must be set, but `name` and `selector` are mutually - exclusive properties. If one is set, the other - must be unset." + description: |- + selector can be used to match multiple param objects based on their labels. + Supply selector: {} to match all resources of the ParamKind. + + + If multiple params are found, they are all evaluated with the policy expressions + and the results are ANDed together. + + + One of `name` or `selector` must be set, but `name` and `selector` are + mutually exclusive properties. If one is set, the other must be unset. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -35914,40 +32856,34 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object x-kubernetes-map-type: atomic variables: - description: Variables contain definitions of variables - that can be used in composition of other expressions. + description: |- + Variables contain definitions of variables that can be used in composition of other expressions. Each variable is defined as a named CEL expression. - The variables defined here will be available under - `variables` in other expressions of the policy. + The variables defined here will be available under `variables` in other expressions of the policy. items: description: Variable is the definition of a variable that is used for composition. properties: expression: - description: Expression is the expression that - will be evaluated as the value of the variable. - The CEL expression has access to the same identifiers - as the CEL expressions in Validation. + description: |- + Expression is the expression that will be evaluated as the value of the variable. + The CEL expression has access to the same identifiers as the CEL expressions in Validation. type: string name: - description: Name is the name of the variable. - The name must be a valid CEL identifier and - unique among all variables. The variable can - be accessed in other expressions through `variables` - For example, if name is "foo", the variable - will be available as `variables.foo` + description: |- + Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables. + The variable can be accessed in other expressions through `variables` + For example, if name is "foo", the variable will be available as `variables.foo` type: string required: - expression @@ -35960,14 +32896,15 @@ spec: a validation rule. properties: conditions: - description: 'Multiple conditions can be declared under - an `any` or `all` statement. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + description: |- + Multiple conditions can be declared under an `any` or `all` statement. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A condition - can reference object data using JMESPath notation. + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. Here, all of the conditions need to pass. items: properties: @@ -35980,13 +32917,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators are: - Equals, NotEquals, In, AnyIn, AllIn, NotIn, - AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -36004,17 +32939,17 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A condition - can reference object data using JMESPath notation. + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. Here, at least one of the conditions need to pass. items: properties: @@ -36027,13 +32962,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators are: - Equals, NotEquals, In, AnyIn, AllIn, NotIn, - AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -36051,9 +32984,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -36070,23 +33003,22 @@ spec: the specified logic. properties: anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must be satisfied - for the validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true context: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data @@ -36108,14 +33040,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -36130,25 +33060,24 @@ spec: JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate the server certificate. type: string url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -36166,8 +33095,8 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. properties: imageRegistryCredentials: @@ -36180,11 +33109,9 @@ spec: insecure access to a registry. type: boolean providers: - description: 'Providers specifies a - list of OCI Registry names, whose - authentication providers are provided. - It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -36198,23 +33125,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list - of secrets that are provided for credentials. + description: |- + Secrets specifies a list of secrets that are provided for credentials. Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -36227,15 +33154,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON @@ -36249,47 +33175,43 @@ spec: or fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct - list of conditions (without `any` or `all` statements) - is also supported for backwards compatibility + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object elementScope: - description: ElementScope specifies whether to use - the current list element as the scope for validation. - Defaults to "true" if not specified. When set to - "false", "request.object" is used as the validation - scope within the foreach block to allow referencing - other elements in the subtree. + description: |- + ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified. + When set to "false", "request.object" is used as the validation scope within the foreach + block to allow referencing other elements in the subtree. type: boolean foreach: description: Foreach declares a nested foreach iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which the - validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string pattern: description: Pattern specifies an overlay-style pattern used to check resources. x-kubernetes-preserve-unknown-fields: true preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, all of the conditions need to - pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -36303,13 +33225,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -36329,20 +33249,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, at least one of the conditions - need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -36356,13 +33274,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -36382,10 +33298,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -36407,31 +33322,25 @@ spec: items: properties: count: - description: Count specifies the required number - of entries that must match. If the count is - null, all entries must match (a logical AND). - If the count is 1, at least one entry must match - (a logical OR). If the count contains a value - N, then N must be less than or equal to the - size of entries, and at least N entries must - match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available attestors. - An attestor can be a static key, attributes - for keyless verification, or a nested attestor - declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for image - verification. Every specified key-value - pair must exist and match in the verified - payload. The payload may contain other - key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set of @@ -36452,19 +33361,14 @@ spec: to verify. type: string ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate Timestamps - (SCTs). If the value is unset, the - default behavior by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate - Timestamp (SCT) log to check for - a certificate timestamp. Default - is false. Set to true if this - was opted out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -36472,33 +33376,25 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the root - CA certificate. Optionally may - contain intermediate CA certificates, - and may contain the leaf TSA certificate - if not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use - for a custom Rekor. If set, this - will be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -36509,8 +33405,8 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: @@ -36521,19 +33417,14 @@ spec: signing. type: object ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate Timestamps - (SCTs). If the value is unset, the - default behavior by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate - Timestamp (SCT) log to check for - a certificate timestamp. Default - is false. Set to true if this - was opted out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -36541,14 +33432,10 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the root - CA certificate. Optionally may - contain intermediate CA certificates, - and may contain the leaf TSA certificate - if not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -36556,22 +33443,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use - for a custom Rekor. If set, this - will be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -36581,10 +33464,9 @@ spec: type: string type: object roots: - description: Roots is an optional set - of PEM encoded trusted root certificates. - If not provided, the system roots - are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -36597,19 +33479,14 @@ spec: public keys. properties: ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate Timestamps - (SCTs). If the value is unset, the - default behavior by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate - Timestamp (SCT) log to check for - a certificate timestamp. Default - is false. Set to true if this - was opted out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -36617,57 +33494,41 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the root - CA certificate. Optionally may - contain intermediate CA certificates, - and may contain the leaf TSA certificate - if not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI to - the public key stored in a Key Management - System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image signatures. - The keys can be directly specified - or can be a variable reference to - a key specified in a ConfigMap (see - https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster by - specifying it in the format "k8s:///". - The named Secret must specify a key - `cosign.pub` containing the public - key used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each - key is processed as a separate staticKey - entry (.attestors[*].entries.keys) - within the set of attestors and the - count is applied across the keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use - for a custom Rekor. If set, this - will be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -36701,12 +33562,9 @@ spec: type: string type: object repository: - description: Repository is an optional alternate - OCI repository to use for signatures and - attestations that match this rule. If - specified Repository will override other - OCI image repository locations for this - Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -36747,9 +33605,9 @@ spec: type: object type: array repository: - description: Repository is an optional alternate OCI - repository to use for resource bundle reference. The - repository can be overridden per Attestor or Attestation. + description: |- + Repository is an optional alternate OCI repository to use for resource bundle reference. + The repository can be overridden per Attestor or Attestation. type: string type: object message: @@ -36761,9 +33619,9 @@ spec: used to check resources. x-kubernetes-preserve-unknown-fields: true podSecurity: - description: PodSecurity applies exemptions for Kubernetes - Pod Security admission by specifying exclusions for Pod - Security Standards controls. + description: |- + PodSecurity applies exemptions for Kubernetes Pod Security admission + by specifying exclusions for Pod Security Standards controls. properties: exclude: description: Exclude specifies the Pod Security Standard @@ -36773,8 +33631,9 @@ spec: Security Standard controls to be excluded. properties: controlName: - description: 'ControlName specifies the name of - the Pod Security Standard control. See: https://kubernetes.io/docs/concepts/security/pod-security-standards/' + description: |- + ControlName specifies the name of the Pod Security Standard control. + See: https://kubernetes.io/docs/concepts/security/pod-security-standards/ enum: - HostProcess - Host Namespaces @@ -36793,13 +33652,11 @@ spec: - Running as Non-root user type: string images: - description: 'Images selects matching containers - and applies the container level PSS. Each image - is the image name consisting of the registry - address, repository, image, and tag. Empty list - matches no containers, PSS checks are applied - at the pod level only. Wildcards (''*'' and - ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' + description: |- + Images selects matching containers and applies the container level PSS. + Each image is the image name consisting of the registry address, repository, image, and tag. + Empty list matches no containers, PSS checks are applied at the pod level only. + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -36808,19 +33665,18 @@ spec: type: object type: array level: - description: Level defines the Pod Security Standard - level to be applied to workloads. Allowed values are - privileged, baseline, and restricted. + description: |- + Level defines the Pod Security Standard level to be applied to workloads. + Allowed values are privileged, baseline, and restricted. enum: - privileged - baseline - restricted type: string version: - description: Version defines the Pod Security Standard - versions that Kubernetes supports. Allowed values - are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, - v1.26, latest. Defaults to latest. + description: |- + Version defines the Pod Security Standard versions that Kubernetes supports. + Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, latest. Defaults to latest. enum: - v1.19 - v1.20 @@ -36838,22 +33694,21 @@ spec: description: VerifyImages is used to verify image signatures and mutate them to add a digest items: - description: ImageVerification validates that images that - match the specified pattern are signed with the supplied - public key. Once the image is verified it is mutated to - include the SHA digest retrieved during the registration. + description: |- + ImageVerification validates that images that match the specified pattern + are signed with the supplied public key. Once the image is verified it is + mutated to include the SHA digest retrieved during the registration. properties: attestations: - description: Attestations are optional checks for signed - in-toto Statements used to verify the image. See https://github.com/in-toto/attestation. - Kyverno fetches signed attestations from the OCI registry - and decodes them into a list of Statement declarations. + description: |- + Attestations are optional checks for signed in-toto Statements used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statement declarations. items: - description: Attestation are checks for signed in-toto - Statements that are used to verify the image. See - https://github.com/in-toto/attestation. Kyverno fetches - signed attestations from the OCI registry and decodes - them into a list of Statements. + description: |- + Attestation are checks for signed in-toto Statements that are used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statements. properties: attestors: description: Attestors specify the required attestors @@ -36861,31 +33716,25 @@ spec: items: properties: count: - description: Count specifies the required - number of entries that must match. If the - count is null, all entries must match (a - logical AND). If the count is 1, at least - one entry must match (a logical OR). If - the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or - a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set @@ -36906,21 +33755,14 @@ spec: used to verify. type: string ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -36928,36 +33770,25 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -36968,9 +33799,9 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless - attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: additionalProperties: @@ -36980,21 +33811,14 @@ spec: for keyless signing. type: object ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -37002,15 +33826,10 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -37018,24 +33837,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -37045,10 +33858,9 @@ spec: type: string type: object roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, - the system roots are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -37061,21 +33873,14 @@ spec: public keys. properties: ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -37083,63 +33888,41 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI - to the public key stored in a - Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable - reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -37175,37 +33958,30 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository - will override other OCI image repository - locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array type: object type: array conditions: - description: Conditions are used to verify attributes - within a Predicate. If no Conditions are specified - the attestation check is satisfied as long there - are predicates that match the predicate type. + description: |- + Conditions are used to verify attributes within a Predicate. If no Conditions are specified + the attestation check is satisfied as long there are predicates that match the predicate type. items: - description: AnyAllConditions consists of conditions - wrapped denoting a logical criteria to be fulfilled. - AnyConditions get fulfilled when at least one - of its sub-conditions passes. AllConditions - get fulfilled only when all of its sub-conditions - pass. + description: |- + AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled. + AnyConditions get fulfilled when at least one of its sub-conditions passes. + AllConditions get fulfilled only when all of its sub-conditions pass. properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -37220,14 +33996,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -37247,20 +34020,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -37275,14 +34046,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -37302,10 +34070,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -37327,29 +34094,25 @@ spec: items: properties: count: - description: Count specifies the required number - of entries that must match. If the count is null, - all entries must match (a logical AND). If the - count is 1, at least one entry must match (a logical - OR). If the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available attestors. - An attestor can be a static key, attributes for - keyless verification, or a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for image - verification. Every specified key-value - pair must exist and match in the verified - payload. The payload may contain other key-value - pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set of Attestor @@ -37370,19 +34133,14 @@ spec: to verify. type: string ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for validation - of Signed Certificate Timestamps (SCTs). - If the value is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate Timestamp - (SCT) log to check for a certificate - timestamp. Default is false. Set - to true if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is used @@ -37390,33 +34148,25 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate chain - file for the RFC3161 timestamp authority. - Must contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use for - a custom Rekor. If set, this will - be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address of @@ -37426,8 +34176,8 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: @@ -37438,19 +34188,14 @@ spec: signing. type: object ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for validation - of Signed Certificate Timestamps (SCTs). - If the value is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate Timestamp - (SCT) log to check for a certificate - timestamp. Default is false. Set - to true if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is used @@ -37458,14 +34203,10 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate chain - file for the RFC3161 timestamp authority. - Must contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -37473,22 +34214,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use for - a custom Rekor. If set, this will - be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address of @@ -37497,10 +34234,9 @@ spec: type: string type: object roots: - description: Roots is an optional set - of PEM encoded trusted root certificates. - If not provided, the system roots are - used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified identity @@ -37513,19 +34249,14 @@ spec: keys. properties: ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for validation - of Signed Certificate Timestamps (SCTs). - If the value is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate Timestamp - (SCT) log to check for a certificate - timestamp. Default is false. Set - to true if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is used @@ -37533,56 +34264,41 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate chain - file for the RFC3161 timestamp authority. - Must contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI to - the public key stored in a Key Management - System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 public - keys used to verify image signatures. - The keys can be directly specified or - can be a variable reference to a key - specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes Secret - elsewhere in the cluster by specifying - it in the format "k8s:///". - The named Secret must specify a key - `cosign.pub` containing the public key - used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each - key is processed as a separate staticKey - entry (.attestors[*].entries.keys) within - the set of attestors and the count is - applied across the keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use for - a custom Rekor. If set, this will - be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address of @@ -37615,24 +34331,20 @@ spec: type: string type: object repository: - description: Repository is an optional alternate - OCI repository to use for signatures and - attestations that match this rule. If specified - Repository will override other OCI image - repository locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array type: object type: array imageReferences: - description: 'ImageReferences is a list of matching image - reference patterns. At least one pattern in the list - must match the image for the rule to apply. Each image - reference consists of a registry address (defaults to - docker.io), repository, image, and tag (defaults to - latest). Wildcards (''*'' and ''?'') are allowed. See: - https://kubernetes.io/docs/concepts/containers/images.' + description: |- + ImageReferences is a list of matching image reference patterns. At least one pattern in the + list must match the image for the rule to apply. Each image reference consists of a registry + address (defaults to docker.io), repository, image, and tag (defaults to latest). + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -37645,9 +34357,9 @@ spec: access to a registry. type: boolean providers: - description: 'Providers specifies a list of OCI Registry - names, whose authentication providers are provided. - It can be of one of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers required. @@ -37660,25 +34372,24 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets that - are provided for credentials. Secrets must live - in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object mutateDigest: default: true - description: MutateDigest enables replacement of image - tags with digests. Defaults to true. + description: |- + MutateDigest enables replacement of image tags with digests. + Defaults to true. type: boolean repository: - description: Repository is an optional alternate OCI repository - to use for image signatures and attestations that match - this rule. If specified Repository will override the - default OCI image repository configured for the installation. - The repository can also be overridden per Attestor or - Attestation. + description: |- + Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule. + If specified Repository will override the default OCI image repository configured for the installation. + The repository can also be overridden per Attestor or Attestation. type: string required: default: true @@ -37687,9 +34398,9 @@ spec: check. type: boolean type: - description: Type specifies the method of signature validation. - The allowed options are Cosign and Notary. By default - Cosign is used if a type is not specified. + description: |- + Type specifies the method of signature validation. The allowed options + are Cosign and Notary. By default Cosign is used if a type is not specified. enum: - Cosign - Notary @@ -37711,23 +34422,23 @@ spec: type: object type: array schemaValidation: - description: SchemaValidation skips validation checks for policies - as well as patched resources. Optional. The default value is set - to "true", it must be set to "false" to disable the validation checks. + description: |- + SchemaValidation skips validation checks for policies as well as patched resources. + Optional. The default value is set to "true", it must be set to "false" to disable the validation checks. type: boolean useServerSideApply: - description: UseServerSideApply controls whether to use server-side - apply for generate rules If is set to "true" create & update for - generate rules will use apply instead of create/update. Defaults - to "false" if not specified. + description: |- + UseServerSideApply controls whether to use server-side apply for generate rules + If is set to "true" create & update for generate rules will use apply instead of create/update. + Defaults to "false" if not specified. type: boolean validationFailureAction: default: Audit - description: ValidationFailureAction defines if a validation policy - rule violation should block the admission review request (enforce), - or allow (audit) the admission review request and report an error - in a policy report. Optional. Allowed values are audit or enforce. - The default value is "Audit". + description: |- + ValidationFailureAction defines if a validation policy rule violation should block + the admission review request (enforce), or allow (audit) the admission review request + and report an error in a policy report. Optional. + Allowed values are audit or enforce. The default value is "Audit". enum: - audit - enforce @@ -37735,9 +34446,9 @@ spec: - Enforce type: string validationFailureActionOverrides: - description: ValidationFailureActionOverrides is a Cluster Policy - attribute that specifies ValidationFailureAction namespace-wise. - It overrides ValidationFailureAction for the specified namespaces. + description: |- + ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction + namespace-wise. It overrides ValidationFailureAction for the specified namespaces. items: properties: action: @@ -37750,34 +34461,34 @@ spec: - Enforce type: string namespaceSelector: - description: A label selector is a label query over a set of - resources. The result of matchLabels and matchExpressions - are ANDed. An empty label selector matches all objects. A - null label selector matches no objects. + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. - If the operator is In or NotIn, the values array - must be non-empty. If the operator is Exists or - DoesNotExist, the values array must be empty. This - array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -37789,11 +34500,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -37804,11 +34514,10 @@ spec: type: object type: array webhookTimeoutSeconds: - description: WebhookTimeoutSeconds specifies the maximum time in seconds - allowed to apply this policy. After the configured time expires, - the admission request may fail, or may simply ignore the policy - results, based on the failure policy. The default timeout is 10s, - the value must be between 1 and 30 seconds. + description: |- + WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. + After the configured time expires, the admission request may fail, or may simply ignore the policy results, + based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds. format: int32 type: integer type: object @@ -37822,51 +34531,49 @@ spec: description: Rules is a list of Rule instances. It contains auto generated rules added for pod controllers items: - description: Rule defines a validation, mutation, or generation - control for matching resources. Each rules contains a match - declaration to select resources, and an optional exclude declaration - to specify which resources to exclude. + description: |- + Rule defines a validation, mutation, or generation control for matching resources. + Each rules contains a match declaration to select resources, and an optional exclude + declaration to specify which resources to exclude. properties: celPreconditions: - description: CELPreconditions are used to determine if a - policy rule should be applied by evaluating a set of CEL - conditions. It can only be used with the validate.cel - subrule + description: |- + CELPreconditions are used to determine if a policy rule should be applied by evaluating a + set of CEL conditions. It can only be used with the validate.cel subrule items: description: MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook. properties: expression: - description: "Expression represents the expression - which will be evaluated by CEL. Must evaluate to - bool. CEL expressions have access to the contents - of the AdmissionRequest and Authorizer, organized - into CEL variables: \n 'object' - The object from - the incoming request. The value is null for DELETE - requests. 'oldObject' - The existing object. The - value is null for CREATE requests. 'request' - Attributes - of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). - 'authorizer' - A CEL Authorizer. May be used to - perform authorization checks for the principal (user - or service account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - 'authorizer.requestResource' - A CEL ResourceCheck - constructed from the 'authorizer' and configured - with the request resource. Documentation on CEL: - https://kubernetes.io/docs/reference/using-api/cel/ - \n Required." + description: |- + Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. + CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: + + + 'object' - The object from the incoming request. The value is null for DELETE requests. + 'oldObject' - The existing object. The value is null for CREATE requests. + 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. + See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the + request resource. + Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ + + + Required. type: string name: - description: "Name is an identifier for this match - condition, used for strategic merging of MatchConditions, - as well as providing an identifier for logging purposes. - A good name should be descriptive of the associated - expression. Name must be a qualified name consisting - of alphanumeric characters, '-', '_' or '.', and - must start and end with an alphanumeric character - (e.g. 'MyName', or 'my.name', or '123-abc', regex - used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') - with an optional DNS subdomain prefix and '/' (e.g. - 'example.com/MyName') \n Required." + description: |- + Name is an identifier for this match condition, used for strategic merging of MatchConditions, + as well as providing an identifier for logging purposes. A good name should be descriptive of + the associated expression. + Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and + must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or + '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an + optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') + + + Required. type: string required: - expression @@ -37877,15 +34584,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data sources - to a rule Context. Either a ConfigMap reference or a - APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the Kubernetes - API server, or other JSON web service. The data - returned is stored in the context with the name - for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data sent @@ -37907,13 +34613,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON Match - Expression that can be used to transform the - JSON response returned from the server. For - example a JMESPath of "items | length(@)" applied - to the API server response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across - all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -37928,23 +34633,24 @@ spec: web service properties: caBundle: - description: CABundle is a PEM encoded CA - bundle which will be used to validate the - server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web service URL. - A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to be used - in the HTTP GET or POST request to the Kubernetes - API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used - by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -37961,8 +34667,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests to an - OCI/Docker V2 registry to fetch image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials provides @@ -37974,10 +34681,9 @@ spec: insecure access to a registry. type: boolean providers: - description: 'Providers specifies a list of - OCI Registry names, whose authentication - providers are provided. It can be of one - of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers @@ -37991,23 +34697,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets - that are provided for credentials. Secrets - must live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON Match - Expression that can be used to transform the - ImageData struct returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference to - a container image in the registry. Example: - ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -38020,14 +34726,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take if the - JMESPath expression evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform the - variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON object @@ -38037,11 +34743,10 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when this policy rule - should not be applied. The exclude criteria can include - resource information (e.g. kind, name, namespace, labels) - and admission review request information like the name - or role. + description: |- + ExcludeResources defines when this policy rule should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. properties: all: description: All allows specifying resources which will @@ -38063,10 +34768,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -38075,60 +34779,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -38141,20 +34834,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -38175,44 +34865,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -38225,12 +34906,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -38245,36 +34924,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -38304,10 +34975,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -38316,60 +34986,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -38382,20 +35041,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -38416,44 +35072,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -38466,12 +35113,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -38486,36 +35131,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -38532,21 +35169,19 @@ spec: type: string type: array resources: - description: ResourceDescription contains information - about the resource being created or modified. Requires - at least one tag to be specified when under MatchResources. - Specifying ResourceDescription directly under match - is being deprecated. Please specify under "any" or - "all" instead. + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" - (matches zero or many characters) and "?" (matches - at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -38554,57 +35189,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated in - favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key and - value but does not match an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -38617,20 +35244,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -38650,42 +35274,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) - and `?` (matches one character). Wildcards allows - writing label selectors like ["storage.k8s.io/*": - "*"]. Note that using ["*" : "*"] matches any - key and value but does not match an empty label - set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -38698,12 +35315,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -38718,32 +35333,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or - a value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the - referenced subject. Defaults to "" for ServiceAccount - subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the - Authorizer should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -38759,11 +35370,10 @@ spec: description: APIVersion specifies resource apiVersion. type: string clone: - description: Clone specifies the source resource used - to populate each generated resource. At most one of - Data or Clone can be specified. If neither are provided, - the generated resource will be created with default - data only. + description: |- + Clone specifies the source resource used to populate each generated resource. + At most one of Data or Clone can be specified. If neither are provided, the generated + resource will be created with default data only. properties: name: description: Name specifies name of the resource. @@ -38787,37 +35397,33 @@ spec: namespace. type: string selector: - description: Selector is a label selector. Label - keys and values in `matchLabels`. wildcard characters - are not supported. + description: |- + Selector is a label selector. Label keys and values in `matchLabels`. + wildcard characters are not supported. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -38830,22 +35436,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object data: - description: Data provides the resource declaration - used to populate each generated resource. At most - one of Data or Clone must be specified. If neither - are provided, the generated resource will be created - with default data only. + description: |- + Data provides the resource declaration used to populate each generated resource. + At most one of Data or Clone must be specified. If neither are provided, the generated + resource will be created with default data only. x-kubernetes-preserve-unknown-fields: true kind: description: Kind specifies resource kind. @@ -38857,11 +35460,10 @@ spec: description: Namespace specifies resource namespace. type: string synchronize: - description: Synchronize controls if generated resources - should be kept in-sync with their source resource. - If Synchronize is set to "true" changes to generated - resources will be overwritten with resource data from - Data or the resource specified in the Clone declaration. + description: |- + Synchronize controls if generated resources should be kept in-sync with their source resource. + If Synchronize is set to "true" changes to generated resources will be overwritten with resource + data from Data or the resource specified in the Clone declaration. Optional. Defaults to "false" if not specified. type: boolean uid: @@ -38873,50 +35475,46 @@ spec: items: properties: jmesPath: - description: 'JMESPath is an optional JMESPath expression - to apply to the image value. This is useful when - the extracted image begins with a prefix like - ''docker://''. The ''trim_prefix'' function may - be used to trim the prefix: trim_prefix(@, ''docker://''). - Note - Image digest mutation may not be used when - applying a JMESPAth to an image.' + description: |- + JMESPath is an optional JMESPath expression to apply to the image value. + This is useful when the extracted image begins with a prefix like 'docker://'. + The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://'). + Note - Image digest mutation may not be used when applying a JMESPAth to an image. type: string key: - description: Key is an optional name of the field - within 'path' that will be used to uniquely identify - an image. Note - this field MUST be unique. + description: |- + Key is an optional name of the field within 'path' that will be used to uniquely identify an image. + Note - this field MUST be unique. type: string name: - description: Name is the entry the image will be - available under 'images.' in the context. - If this field is not defined, image entries will - appear under 'images.custom'. + description: |- + Name is the entry the image will be available under 'images.' in the context. + If this field is not defined, image entries will appear under 'images.custom'. type: string path: - description: Path is the path to the object containing - the image field in a custom resource. It should - be slash-separated. Each slash-separated key must - be a valid YAML key or a wildcard '*'. Wildcard - keys are expanded in case of arrays or objects. + description: |- + Path is the path to the object containing the image field in a custom resource. + It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'. + Wildcard keys are expanded in case of arrays or objects. type: string value: - description: Value is an optional name of the field - within 'path' that points to the image URI. This - is useful when a custom 'key' is also defined. + description: |- + Value is an optional name of the field within 'path' that points to the image URI. + This is useful when a custom 'key' is also defined. type: string required: - path type: object type: array - description: ImageExtractors defines a mapping from kinds - to ImageExtractorConfigs. This config is only valid for - verifyImages rules. + description: |- + ImageExtractors defines a mapping from kinds to ImageExtractorConfigs. + This config is only valid for verifyImages rules. type: object match: - description: MatchResources defines when this policy rule - should be applied. The match criteria can include resource - information (e.g. kind, name, namespace, labels) and admission - review request information like the user name or role. + description: |- + MatchResources defines when this policy rule should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. At least one kind is required. properties: all: @@ -38939,10 +35537,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -38951,60 +35548,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -39017,20 +35603,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -39051,44 +35634,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -39101,12 +35675,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -39121,36 +35693,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -39180,10 +35744,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -39192,60 +35755,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -39258,20 +35810,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -39292,44 +35841,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -39342,12 +35882,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -39362,36 +35900,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -39408,21 +35938,19 @@ spec: type: string type: array resources: - description: ResourceDescription contains information - about the resource being created or modified. Requires - at least one tag to be specified when under MatchResources. - Specifying ResourceDescription directly under match - is being deprecated. Please specify under "any" or - "all" instead. + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" - (matches zero or many characters) and "?" (matches - at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -39430,57 +35958,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated in - favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key and - value but does not match an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -39493,20 +36013,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -39526,42 +36043,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) - and `?` (matches one character). Wildcards allows - writing label selectors like ["storage.k8s.io/*": - "*"]. Note that using ["*" : "*"] matches any - key and value but does not match an empty label - set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -39574,12 +36084,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -39594,32 +36102,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or - a value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the - referenced subject. Defaults to "" for ServiceAccount - subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the - Authorizer should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -39646,16 +36150,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST @@ -39678,15 +36180,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -39701,25 +36200,23 @@ spec: to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web - service URL. A typical form is + description: |- + URL is the JSON web service URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string @@ -39739,9 +36236,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials @@ -39753,11 +36250,9 @@ spec: allows insecure access to a registry. type: boolean providers: - description: 'Providers specifies - a list of OCI Registry names, - whose authentication providers - are provided. It can be of one - of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -39771,25 +36266,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a - list of secrets that are provided - for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -39803,15 +36296,14 @@ spec: defined inline. properties: default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary @@ -39826,43 +36318,41 @@ spec: iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which - the validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string order: - description: Order defines the iteration order - on the list. Can be Ascending to iterate from - first to last element or Descending to iterate - in from last to first element. + description: |- + Order defines the iteration order on the list. + Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element. enum: - Ascending - Descending type: string patchStrategicMerge: - description: PatchStrategicMerge is a strategic - merge patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC - 6902 JSON Patch declarations used to modify - resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -39877,14 +36367,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -39904,20 +36391,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -39932,14 +36417,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -39959,10 +36441,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -39971,14 +36452,15 @@ spec: type: object type: array patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge - patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON - Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string targets: description: Targets defines the target resources to @@ -39994,16 +36476,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST @@ -40026,15 +36506,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -40049,25 +36526,23 @@ spec: to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web - service URL. A typical form is + description: |- + URL is the JSON web service URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string @@ -40087,9 +36562,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials @@ -40101,11 +36576,9 @@ spec: allows insecure access to a registry. type: boolean providers: - description: 'Providers specifies - a list of OCI Registry names, - whose authentication providers - are provided. It can be of one - of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -40119,25 +36592,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a - list of secrets that are provided - for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -40151,15 +36622,14 @@ spec: defined inline. properties: default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary @@ -40179,14 +36649,12 @@ spec: description: Namespace specifies resource namespace. type: string preconditions: - description: 'Preconditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. A direct list - of conditions (without `any` or `all` statements - is supported for backwards compatibility but + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/preconditions/' + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true uid: description: UID specifies the resource uid. @@ -40200,27 +36668,32 @@ spec: maxLength: 63 type: string preconditions: - description: 'Preconditions are used to determine if a policy - rule should be applied by evaluating a set of conditions. - The declaration can contain nested `any` or `all` statements. - A direct list of conditions (without `any` or `all` statements - is supported for backwards compatibility but will be deprecated - in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true skipBackgroundRequests: default: true - description: SkipBackgroundRequests bypasses admission requests - that are sent by the background controller. The default - value is set to "true", it must be set to "false" to apply + description: |- + SkipBackgroundRequests bypasses admission requests that are sent by the background controller. + The default value is set to "true", it must be set to "false" to apply generate and mutateExisting rules to those requests. type: boolean validate: description: Validation is used to validate matching resources. properties: + allowExistingViolations: + default: true + description: AllowExistingViolations allows prexisting + violating resources to continue violating a policy. + type: boolean anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must be satisfied - for the validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true cel: description: CEL allows validation checks using the @@ -40235,41 +36708,45 @@ spec: produce an audit annotation for an API request. properties: key: - description: "key specifies the audit annotation - key. The audit annotation keys of a ValidatingAdmissionPolicy - must be unique. The key must be a qualified - name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more - than 63 bytes in length. \n The key is combined - with the resource name of the ValidatingAdmissionPolicy - to construct an audit annotation key: \"{ValidatingAdmissionPolicy - name}/{key}\". \n If an admission webhook - uses the same resource name as this ValidatingAdmissionPolicy - and the same audit annotation key, the annotation - key will be identical. In this case, the - first annotation written with the key will - be included in the audit event and all subsequent - annotations with the same key will be discarded. - \n Required." + description: |- + key specifies the audit annotation key. The audit annotation keys of + a ValidatingAdmissionPolicy must be unique. The key must be a qualified + name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length. + + + The key is combined with the resource name of the + ValidatingAdmissionPolicy to construct an audit annotation key: + "{ValidatingAdmissionPolicy name}/{key}". + + + If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy + and the same audit annotation key, the annotation key will be identical. + In this case, the first annotation written with the key will be included + in the audit event and all subsequent annotations with the same key + will be discarded. + + + Required. type: string valueExpression: - description: "valueExpression represents the - expression which is evaluated by CEL to - produce an audit annotation value. The expression - must evaluate to either a string or null - value. If the expression evaluates to a - string, the audit annotation is included - with the string value. If the expression - evaluates to null or empty string the audit - annotation will be omitted. The valueExpression - may be no longer than 5kb in length. If - the result of the valueExpression is more - than 10kb in length, it will be truncated - to 10kb. \n If multiple ValidatingAdmissionPolicyBinding - resources match an API request, then the - valueExpression will be evaluated for each - binding. All unique values produced by the - valueExpressions will be joined together - in a comma-separated list. \n Required." + description: |- + valueExpression represents the expression which is evaluated by CEL to + produce an audit annotation value. The expression must evaluate to either + a string or null value. If the expression evaluates to a string, the + audit annotation is included with the string value. If the expression + evaluates to null or empty string the audit annotation will be omitted. + The valueExpression may be no longer than 5kb in length. + If the result of the valueExpression is more than 10kb in length, it + will be truncated to 10kb. + + + If multiple ValidatingAdmissionPolicyBinding resources match an + API request, then the valueExpression will be evaluated for + each binding. All unique values produced by the valueExpressions + will be joined together in a comma-separated list. + + + Required. type: string required: - key @@ -40285,124 +36762,104 @@ spec: properties: expression: description: "Expression represents the expression - which will be evaluated by CEL. ref: https://github.com/google/cel-spec - CEL expressions have access to the contents + which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL + expressions have access to the contents of the API request/response, organized into CEL variables as well as some other useful - variables: \n - 'object' - The object from - the incoming request. The value is null - for DELETE requests. - 'oldObject' - The - existing object. The value is null for CREATE - requests. - 'request' - Attributes of the - API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - - 'params' - Parameter resource referred - to by the policy binding being evaluated. - Only populated if the policy has a ParamKind. - - 'namespaceObject' - The namespace object + variables:\n\n\n- 'object' - The object + from the incoming request. The value is + null for DELETE requests.\n- 'oldObject' + - The existing object. The value is null + for CREATE requests.\n- 'request' - Attributes + of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- + 'params' - Parameter resource referred to + by the policy binding being evaluated. Only + populated if the policy has a ParamKind.\n- + 'namespaceObject' - The namespace object that the incoming object belongs to. The - value is null for cluster-scoped resources. - - 'variables' - Map of composited variables, - from its name to its lazily evaluated value. - For example, a variable named 'foo' can - be accessed as 'variables.foo'. - 'authorizer' + value is null for cluster-scoped resources.\n- + 'variables' - Map of composited variables, + from its name to its lazily evaluated value.\n + \ For example, a variable named 'foo' can + be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user - or service account) of the request. See - https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - - 'authorizer.requestResource' - A CEL ResourceCheck + or service account) of the request.\n See + https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured - with the request resource. \n The `apiVersion`, + with the\n request resource.\n\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` - are always accessible from the root of the - object. No other metadata properties are - accessible. \n Only property names of the - form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are - accessible. Accessible property names are - escaped according to the following rules - when accessed in the expression: - '__' - escapes to '__underscores__' - '.' escapes - to '__dot__' - '-' escapes to '__dash__' - - '/' escapes to '__slash__' - Property - names that exactly match a CEL RESERVED - keyword escape to '__{keyword}__'. The keywords - are: \"true\", \"false\", \"null\", \"in\", - \"as\", \"break\", \"const\", \"continue\", - \"else\", \"for\", \"function\", \"if\", - \"import\", \"let\", \"loop\", \"package\", - \"namespace\", \"return\". Examples: - Expression - accessing a property named \"namespace\": - {\"Expression\": \"object.__namespace__ - > 0\"} - Expression accessing a property + are always accessible from the root of the\nobject. + No other metadata properties are accessible.\n\n\nOnly + property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` + are accessible.\nAccessible property names + are escaped according to the following rules + when accessed in the expression:\n- '__' + escapes to '__underscores__'\n- '.' escapes + to '__dot__'\n- '-' escapes to '__dash__'\n- + '/' escapes to '__slash__'\n- Property names + that exactly match a CEL RESERVED keyword + escape to '__{keyword}__'. The keywords + are:\n\t \"true\", \"false\", \"null\", + \"in\", \"as\", \"break\", \"const\", \"continue\", + \"else\", \"for\", \"function\", \"if\",\n\t + \ \"import\", \"let\", \"loop\", \"package\", + \"namespace\", \"return\".\nExamples:\n + \ - Expression accessing a property named + \"namespace\": {\"Expression\": \"object.__namespace__ + > 0\"}\n - Expression accessing a property named \"x-prop\": {\"Expression\": \"object.x__dash__prop - > 0\"} - Expression accessing a property + > 0\"}\n - Expression accessing a property named \"redact__d\": {\"Expression\": \"object.redact__underscores__d - > 0\"} \n Equality on arrays with list type - of 'set' or 'map' ignores element order, - i.e. [1, 2] == [2, 1]. Concatenation on + > 0\"}\n\n\nEquality on arrays with list + type of 'set' or 'map' ignores element order, + i.e. [1, 2] == [2, 1].\nConcatenation on arrays with x-kubernetes-list-type use the - semantics of the list type: - 'set': `X - + Y` performs a union where the array positions - of all elements in `X` are preserved and - non-intersecting elements in `Y` are appended, - retaining their partial order. - 'map': - `X + Y` performs a merge where the array - positions of all keys in `X` are preserved - but the values are overwritten by values - in `Y` when the key sets of `X` and `Y` - intersect. Elements in `Y` with non-intersecting - keys are appended, retaining their partial - order. Required." + semantics of the list type:\n - 'set': + `X + Y` performs a union where the array + positions of all elements in `X` are preserved + and\n non-intersecting elements in `Y` + are appended, retaining their partial order.\n + \ - 'map': `X + Y` performs a merge where + the array positions of all keys in `X` are + preserved but the values\n are overwritten + by values in `Y` when the key sets of `X` + and `Y` intersect. Elements in `Y` with\n + \ non-intersecting keys are appended, + retaining their partial order.\nRequired." type: string message: - description: 'Message represents the message - displayed when validation fails. The message - is required if the Expression contains line - breaks. The message must not contain line - breaks. If unset, the message is "failed - rule: {Rule}". e.g. "must be a URL with - the host matching spec.host" If the Expression - contains line breaks. Message is required. + description: |- + Message represents the message displayed when validation fails. The message is required if the Expression contains + line breaks. The message must not contain line breaks. + If unset, the message is "failed rule: {Rule}". + e.g. "must be a URL with the host matching spec.host" + If the Expression contains line breaks. Message is required. The message must not contain line breaks. - If unset, the message is "failed Expression: - {Expression}".' + If unset, the message is "failed Expression: {Expression}". type: string messageExpression: - description: 'messageExpression declares a - CEL expression that evaluates to the validation - failure message that is returned when this - rule fails. Since messageExpression is used - as a failure message, it must evaluate to - a string. If both message and messageExpression - are present on a validation, then messageExpression - will be used if validation fails. If messageExpression - results in a runtime error, the runtime - error is logged, and the validation failure - message is produced as if the messageExpression - field were unset. If messageExpression evaluates - to an empty string, a string with only spaces, - or a string that contains line breaks, then - the validation failure message will also - be produced as if the messageExpression - field were unset, and the fact that messageExpression - produced an empty string/string with only - spaces/string with line breaks will be logged. - messageExpression has access to all the - same variables as the `expression` except - for ''authorizer'' and ''authorizer.requestResource''. - Example: "object.x must be less than max - ("+string(params.max)+")"' + description: |- + messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. + Since messageExpression is used as a failure message, it must evaluate to a string. + If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. + If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced + as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string + that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and + the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. + messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'. + Example: + "object.x must be less than max ("+string(params.max)+")" type: string reason: - description: 'Reason represents a machine-readable - description of why this validation failed. - If this is the first validation in the list - to fail, this reason, as well as the corresponding - HTTP response code, are used in the HTTP - response to the client. The currently supported - reasons are: "Unauthorized", "Forbidden", - "Invalid", "RequestEntityTooLarge". If not - set, StatusReasonInvalid is used in the - response to the client.' + description: |- + Reason represents a machine-readable description of why this validation failed. + If this is the first validation in the list to fail, this reason, as well as the + corresponding HTTP response code, are used in the + HTTP response to the client. + The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge". + If not set, StatusReasonInvalid is used in the response to the client. type: string required: - expression @@ -40413,13 +36870,15 @@ spec: and Version. properties: apiVersion: - description: APIVersion is the API group version - the resources belong to. In format of "group/version". + description: |- + APIVersion is the API group version the resources belong to. + In format of "group/version". Required. type: string kind: - description: Kind is the API kind the resources - belong to. Required. + description: |- + Kind is the API kind the resources belong to. + Required. type: string type: object x-kubernetes-map-type: atomic @@ -40427,82 +36886,83 @@ spec: description: ParamRef references a parameter resource. properties: name: - description: "`name` is the name of the resource - being referenced. \n `name` and `selector` - are mutually exclusive properties. If one - is set, the other must be unset." + description: |- + `name` is the name of the resource being referenced. + + + `name` and `selector` are mutually exclusive properties. If one is set, + the other must be unset. type: string namespace: - description: "namespace is the namespace of - the referenced resource. Allows limiting the - search for params to a specific namespace. - Applies to both `name` and `selector` fields. - \n A per-namespace parameter may be used by - specifying a namespace-scoped `paramKind` - in the policy and leaving this field empty. - \n - If `paramKind` is cluster-scoped, this - field MUST be unset. Setting this field results - in a configuration error. \n - If `paramKind` - is namespace-scoped, the namespace of the - object being evaluated for admission will - be used when this field is left unset. Take - care that if this is left empty the binding - must not match any cluster-scoped resources, - which will result in an error." + description: |- + namespace is the namespace of the referenced resource. Allows limiting + the search for params to a specific namespace. Applies to both `name` and + `selector` fields. + + + A per-namespace parameter may be used by specifying a namespace-scoped + `paramKind` in the policy and leaving this field empty. + + + - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this + field results in a configuration error. + + + - If `paramKind` is namespace-scoped, the namespace of the object being + evaluated for admission will be used when this field is left unset. Take + care that if this is left empty the binding must not match any cluster-scoped + resources, which will result in an error. type: string parameterNotFoundAction: - description: "`parameterNotFoundAction` controls - the behavior of the binding when the resource - exists, and name or selector is valid, but - there are no parameters matched by the binding. - If the value is set to `Allow`, then no matched - parameters will be treated as successful validation - by the binding. If set to `Deny`, then no - matched parameters will be subject to the - `failurePolicy` of the policy. \n Allowed - values are `Allow` or `Deny` Default to `Deny`" + description: |- + `parameterNotFoundAction` controls the behavior of the binding when the resource + exists, and name or selector is valid, but there are no parameters + matched by the binding. If the value is set to `Allow`, then no + matched parameters will be treated as successful validation by the binding. + If set to `Deny`, then no matched parameters will be subject to the + `failurePolicy` of the policy. + + + Allowed values are `Allow` or `Deny` + Default to `Deny` type: string selector: - description: "selector can be used to match - multiple param objects based on their labels. - Supply selector: {} to match all resources - of the ParamKind. \n If multiple params are - found, they are all evaluated with the policy - expressions and the results are ANDed together. - \n One of `name` or `selector` must be set, - but `name` and `selector` are mutually exclusive - properties. If one is set, the other must - be unset." + description: |- + selector can be used to match multiple param objects based on their labels. + Supply selector: {} to match all resources of the ParamKind. + + + If multiple params are found, they are all evaluated with the policy expressions + and the results are ANDed together. + + + One of `name` or `selector` must be set, but `name` and `selector` are + mutually exclusive properties. If one is set, the other must be unset. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -40514,41 +36974,34 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object x-kubernetes-map-type: atomic variables: - description: Variables contain definitions of variables - that can be used in composition of other expressions. + description: |- + Variables contain definitions of variables that can be used in composition of other expressions. Each variable is defined as a named CEL expression. - The variables defined here will be available under - `variables` in other expressions of the policy. + The variables defined here will be available under `variables` in other expressions of the policy. items: description: Variable is the definition of a variable that is used for composition. properties: expression: - description: Expression is the expression - that will be evaluated as the value of the - variable. The CEL expression has access - to the same identifiers as the CEL expressions - in Validation. + description: |- + Expression is the expression that will be evaluated as the value of the variable. + The CEL expression has access to the same identifiers as the CEL expressions in Validation. type: string name: - description: Name is the name of the variable. - The name must be a valid CEL identifier - and unique among all variables. The variable - can be accessed in other expressions through - `variables` For example, if name is "foo", - the variable will be available as `variables.foo` + description: |- + Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables. + The variable can be accessed in other expressions through `variables` + For example, if name is "foo", the variable will be available as `variables.foo` type: string required: - expression @@ -40561,12 +37014,11 @@ spec: fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct list - of conditions (without `any` or `all` statements) - is also supported for backwards compatibility + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object foreach: @@ -40581,24 +37033,22 @@ spec: apply the specified logic. properties: anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must - be satisfied for the validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true context: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST @@ -40621,15 +37071,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -40644,25 +37091,23 @@ spec: to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web - service URL. A typical form is + description: |- + URL is the JSON web service URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string @@ -40682,9 +37127,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials @@ -40696,11 +37141,9 @@ spec: allows insecure access to a registry. type: boolean providers: - description: 'Providers specifies - a list of OCI Registry names, - whose authentication providers - are provided. It can be of one - of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -40714,25 +37157,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a - list of secrets that are provided - for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -40746,15 +37187,14 @@ spec: defined inline. properties: default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary @@ -40769,48 +37209,44 @@ spec: or fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct - list of conditions (without `any` or `all` - statements) is also supported for backwards - compatibility but will be deprecated in - the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object elementScope: - description: ElementScope specifies whether to - use the current list element as the scope for - validation. Defaults to "true" if not specified. - When set to "false", "request.object" is used - as the validation scope within the foreach block - to allow referencing other elements in the subtree. + description: |- + ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified. + When set to "false", "request.object" is used as the validation scope within the foreach + block to allow referencing other elements in the subtree. type: boolean foreach: description: Foreach declares a nested foreach iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which - the validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string pattern: description: Pattern specifies an overlay-style pattern used to check resources. x-kubernetes-preserve-unknown-fields: true preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -40825,14 +37261,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -40852,20 +37285,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -40880,14 +37311,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -40907,10 +37335,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -40933,31 +37360,25 @@ spec: items: properties: count: - description: Count specifies the required - number of entries that must match. If the - count is null, all entries must match (a - logical AND). If the count is 1, at least - one entry must match (a logical OR). If - the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or - a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set @@ -40978,21 +37399,14 @@ spec: used to verify. type: string ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -41000,36 +37414,25 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -41040,9 +37443,9 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless - attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: additionalProperties: @@ -41052,21 +37455,14 @@ spec: for keyless signing. type: object ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -41074,15 +37470,10 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -41090,24 +37481,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -41117,10 +37502,9 @@ spec: type: string type: object roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, - the system roots are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -41133,21 +37517,14 @@ spec: public keys. properties: ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -41155,63 +37532,41 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI - to the public key stored in a - Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable - reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -41247,12 +37602,9 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository - will override other OCI image repository - locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -41293,10 +37645,9 @@ spec: type: object type: array repository: - description: Repository is an optional alternate - OCI repository to use for resource bundle reference. - The repository can be overridden per Attestor - or Attestation. + description: |- + Repository is an optional alternate OCI repository to use for resource bundle reference. + The repository can be overridden per Attestor or Attestation. type: string type: object message: @@ -41308,9 +37659,9 @@ spec: used to check resources. x-kubernetes-preserve-unknown-fields: true podSecurity: - description: PodSecurity applies exemptions for Kubernetes - Pod Security admission by specifying exclusions for - Pod Security Standards controls. + description: |- + PodSecurity applies exemptions for Kubernetes Pod Security admission + by specifying exclusions for Pod Security Standards controls. properties: exclude: description: Exclude specifies the Pod Security @@ -41320,9 +37671,9 @@ spec: Pod Security Standard controls to be excluded. properties: controlName: - description: 'ControlName specifies the name - of the Pod Security Standard control. See: - https://kubernetes.io/docs/concepts/security/pod-security-standards/' + description: |- + ControlName specifies the name of the Pod Security Standard control. + See: https://kubernetes.io/docs/concepts/security/pod-security-standards/ enum: - HostProcess - Host Namespaces @@ -41341,14 +37692,11 @@ spec: - Running as Non-root user type: string images: - description: 'Images selects matching containers - and applies the container level PSS. Each - image is the image name consisting of the - registry address, repository, image, and - tag. Empty list matches no containers, PSS - checks are applied at the pod level only. - Wildcards (''*'' and ''?'') are allowed. - See: https://kubernetes.io/docs/concepts/containers/images.' + description: |- + Images selects matching containers and applies the container level PSS. + Each image is the image name consisting of the registry address, repository, image, and tag. + Empty list matches no containers, PSS checks are applied at the pod level only. + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -41357,19 +37705,18 @@ spec: type: object type: array level: - description: Level defines the Pod Security Standard - level to be applied to workloads. Allowed values - are privileged, baseline, and restricted. + description: |- + Level defines the Pod Security Standard level to be applied to workloads. + Allowed values are privileged, baseline, and restricted. enum: - privileged - baseline - restricted type: string version: - description: Version defines the Pod Security Standard - versions that Kubernetes supports. Allowed values - are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, - v1.25, v1.26, latest. Defaults to latest. + description: |- + Version defines the Pod Security Standard versions that Kubernetes supports. + Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, latest. Defaults to latest. enum: - v1.19 - v1.20 @@ -41387,10 +37734,10 @@ spec: description: VerifyImages is used to verify image signatures and mutate them to add a digest items: - description: ImageVerification validates that images that - match the specified pattern are signed with the supplied - public key. Once the image is verified it is mutated - to include the SHA digest retrieved during the registration. + description: |- + ImageVerification validates that images that match the specified pattern + are signed with the supplied public key. Once the image is verified it is + mutated to include the SHA digest retrieved during the registration. properties: additionalExtensions: additionalProperties: @@ -41404,17 +37751,15 @@ spec: instead. type: object attestations: - description: Attestations are optional checks for - signed in-toto Statements used to verify the image. - See https://github.com/in-toto/attestation. Kyverno - fetches signed attestations from the OCI registry - and decodes them into a list of Statement declarations. + description: |- + Attestations are optional checks for signed in-toto Statements used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statement declarations. items: - description: Attestation are checks for signed in-toto - Statements that are used to verify the image. - See https://github.com/in-toto/attestation. Kyverno - fetches signed attestations from the OCI registry - and decodes them into a list of Statements. + description: |- + Attestation are checks for signed in-toto Statements that are used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statements. properties: attestors: description: Attestors specify the required @@ -41422,33 +37767,25 @@ spec: items: properties: count: - description: Count specifies the required - number of entries that must match. If - the count is null, all entries must - match (a logical AND). If the count - is 1, at least one entry must match - (a logical OR). If the count contains - a value N, then N must be less than - or equal to the size of entries, and - at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static - key, attributes for keyless verification, - or a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used - for image verification. Every - specified key-value pair must - exist and match in the verified - payload. The payload may contain - other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested @@ -41469,23 +37806,14 @@ spec: certificates used to verify. type: string ctlog: - description: CTLog (certificate - timestamp log) provides a - configuration for validation - of Signed Certificate Timestamps - (SCTs). If the value is unset, - the default behavior by Cosign - is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp - (SCT) log to check for - a certificate timestamp. - Default is false. Set - to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if @@ -41494,27 +37822,16 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, - if set, is the PEM-encoded - certificate chain file - for the RFC3161 timestamp - authority. Must contain - the root CA certificate. - Optionally may contain - intermediate CA certificates, - and may contain the leaf - TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If an empty object is provided - the public instance of Rekor - (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog @@ -41522,13 +37839,9 @@ spec: verification. type: boolean pubkey: - description: RekorPubKey - is an optional PEM-encoded - public key to use for - a custom Rekor. If set, - this will be used to validate - transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the @@ -41539,9 +37852,9 @@ spec: type: object type: object keyless: - description: Keyless is a set of - attribute used to verify a Sigstore - keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: additionalProperties: @@ -41551,23 +37864,14 @@ spec: used for keyless signing. type: object ctlog: - description: CTLog (certificate - timestamp log) provides a - configuration for validation - of Signed Certificate Timestamps - (SCTs). If the value is unset, - the default behavior by Cosign - is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp - (SCT) log to check for - a certificate timestamp. - Default is false. Set - to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if @@ -41576,17 +37880,10 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, - if set, is the PEM-encoded - certificate chain file - for the RFC3161 timestamp - authority. Must contain - the root CA certificate. - Optionally may contain - intermediate CA certificates, - and may contain the leaf - TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -41594,13 +37891,9 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If an empty object is provided - the public instance of Rekor - (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog @@ -41608,13 +37901,9 @@ spec: verification. type: boolean pubkey: - description: RekorPubKey - is an optional PEM-encoded - public key to use for - a custom Rekor. If set, - this will be used to validate - transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the @@ -41624,11 +37913,9 @@ spec: type: string type: object roots: - description: Roots is an optional - set of PEM encoded trusted - root certificates. If not - provided, the system roots - are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the @@ -41642,23 +37929,14 @@ spec: or more public keys. properties: ctlog: - description: CTLog (certificate - timestamp log) provides a - configuration for validation - of Signed Certificate Timestamps - (SCTs). If the value is unset, - the default behavior by Cosign - is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp - (SCT) log to check for - a certificate timestamp. - Default is false. Set - to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if @@ -41667,56 +37945,32 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, - if set, is the PEM-encoded - certificate chain file - for the RFC3161 timestamp - authority. Must contain - the root CA certificate. - Optionally may contain - intermediate CA certificates, - and may contain the leaf - TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the - URI to the public key stored - in a Key Management System. - See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of - X.509 public keys used to - verify image signatures. The - keys can be directly specified - or can be a variable reference - to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a - separate staticKey entry (.attestors[*].entries.keys) - within the set of attestors - and the count is applied across - the keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If an empty object is provided - the public instance of Rekor - (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog @@ -41724,13 +37978,9 @@ spec: verification. type: boolean pubkey: - description: RekorPubKey - is an optional PEM-encoded - public key to use for - a custom Rekor. If set, - this will be used to validate - transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the @@ -41767,40 +38017,30 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use - for signatures and attestations - that match this rule. If specified - Repository will override other - OCI image repository locations - for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array type: object type: array conditions: - description: Conditions are used to verify attributes - within a Predicate. If no Conditions are specified - the attestation check is satisfied as long - there are predicates that match the predicate - type. + description: |- + Conditions are used to verify attributes within a Predicate. If no Conditions are specified + the attestation check is satisfied as long there are predicates that match the predicate type. items: - description: AnyAllConditions consists of - conditions wrapped denoting a logical criteria - to be fulfilled. AnyConditions get fulfilled - when at least one of its sub-conditions - passes. AllConditions get fulfilled only - when all of its sub-conditions pass. + description: |- + AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled. + AnyConditions get fulfilled when at least one of its sub-conditions passes. + AllConditions get fulfilled only when all of its sub-conditions pass. properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is - useful for finer control of when an - rule is applied. A condition can reference - object data using JMESPath notation. - Here, all of the conditions need to - pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -41815,14 +38055,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -41842,21 +38079,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is - useful for finer control of when an - rule is applied. A condition can reference - object data using JMESPath notation. - Here, at least one of the conditions - need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -41871,14 +38105,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -41898,10 +38129,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -41923,31 +38153,25 @@ spec: items: properties: count: - description: Count specifies the required number - of entries that must match. If the count is - null, all entries must match (a logical AND). - If the count is 1, at least one entry must - match (a logical OR). If the count contains - a value N, then N must be less than or equal - to the size of entries, and at least N entries - must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or a - nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set @@ -41968,21 +38192,14 @@ spec: used to verify. type: string ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior by - Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed Certificate - Timestamp (SCT) log to check - for a certificate timestamp. - Default is false. Set to true - if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -41990,35 +38207,25 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the - root CA certificate. Optionally - may contain intermediate CA - certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an - optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used to - validate transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -42029,8 +38236,8 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: @@ -42041,21 +38248,14 @@ spec: for keyless signing. type: object ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior by - Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed Certificate - Timestamp (SCT) log to check - for a certificate timestamp. - Default is false. Set to true - if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -42063,15 +38263,10 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the - root CA certificate. Optionally - may contain intermediate CA - certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -42079,23 +38274,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an - optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used to - validate transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -42105,10 +38295,9 @@ spec: type: string type: object roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, the - system roots are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -42121,21 +38310,14 @@ spec: public keys. properties: ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior by - Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed Certificate - Timestamp (SCT) log to check - for a certificate timestamp. - Default is false. Set to true - if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -42143,61 +38325,41 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the - root CA certificate. Optionally - may contain intermediate CA - certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI - to the public key stored in a Key - Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable reference - to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format "k8s:///". - The named Secret must specify a - key `cosign.pub` containing the - public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an - optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used to - validate transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -42232,12 +38394,9 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository will - override other OCI image repository - locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -42247,13 +38406,11 @@ spec: description: Deprecated. Use ImageReferences instead. type: string imageReferences: - description: 'ImageReferences is a list of matching - image reference patterns. At least one pattern in - the list must match the image for the rule to apply. - Each image reference consists of a registry address - (defaults to docker.io), repository, image, and - tag (defaults to latest). Wildcards (''*'' and ''?'') - are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' + description: |- + ImageReferences is a list of matching image reference patterns. At least one pattern in the + list must match the image for the rule to apply. Each image reference consists of a registry + address (defaults to docker.io), repository, image, and tag (defaults to latest). + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -42266,10 +38423,9 @@ spec: access to a registry. type: boolean providers: - description: 'Providers specifies a list of OCI - Registry names, whose authentication providers - are provided. It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers @@ -42283,9 +38439,9 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets - that are provided for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array @@ -42298,16 +38454,15 @@ spec: type: string mutateDigest: default: true - description: MutateDigest enables replacement of image - tags with digests. Defaults to true. + description: |- + MutateDigest enables replacement of image tags with digests. + Defaults to true. type: boolean repository: - description: Repository is an optional alternate OCI - repository to use for image signatures and attestations - that match this rule. If specified Repository will - override the default OCI image repository configured - for the installation. The repository can also be - overridden per Attestor or Attestation. + description: |- + Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule. + If specified Repository will override the default OCI image repository configured for the installation. + The repository can also be overridden per Attestor or Attestation. type: string required: default: true @@ -42322,9 +38477,9 @@ spec: description: Deprecated. Use KeylessAttestor instead. type: string type: - description: Type specifies the method of signature - validation. The allowed options are Cosign and Notary. - By default Cosign is used if a type is not specified. + description: |- + Type specifies the method of signature validation. The allowed options + are Cosign and Notary. By default Cosign is used if a type is not specified. enum: - Cosign - Notary @@ -42349,42 +38504,42 @@ spec: conditions: items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -42398,11 +38553,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -42418,8 +38574,9 @@ spec: description: Deprecated in favor of Conditions type: boolean rulecount: - description: RuleCountStatus contains four variables which describes - counts for validate, generate, mutate and verify images rules + description: |- + RuleCountStatus contains four variables which describes counts for + validate, generate, mutate and verify images rules properties: generate: description: Count for generate rules in policy @@ -42447,10 +38604,9 @@ spec: policy is generated from the policy or not type: boolean message: - description: Message is a human readable message indicating details - about the generation of validating admission policy It is an - empty string when validating admission policy is successfully - generated. + description: |- + Message is a human readable message indicating details about the generation of validating admission policy + It is an empty string when validating admission policy is successfully generated. type: string required: - generated @@ -42476,7 +38632,7 @@ metadata: {{- with .Values.annotations }} {{- toYaml . | nindent 4 }} {{- end }} - controller-gen.kubebuilder.io/version: v0.12.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: policyexceptions.kyverno.io spec: group: kyverno.io @@ -42499,14 +38655,19 @@ spec: policies. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -42514,11 +38675,10 @@ spec: description: Spec declares policy exception behaviors. properties: background: - description: Background controls if exceptions are applied to existing - policies during a background scan. Optional. Default value is "true". - The value must be set to "false" if the policy rule uses variables - that are only available in the admission review request (e.g. user - name). + description: |- + Background controls if exceptions are applied to existing policies during a background scan. + Optional. Default value is "true". The value must be set to "false" if the policy rule + uses variables that are only available in the admission review request (e.g. user name). type: boolean exceptions: description: Exceptions is a list policy/rules to be excluded @@ -42526,9 +38686,10 @@ spec: description: Exception stores infos about a policy and rules properties: policyName: - description: PolicyName identifies the policy to which the exception - is applied. The policy name uses the format / - unless it references a ClusterPolicy. + description: |- + PolicyName identifies the policy to which the exception is applied. + The policy name uses the format / unless it + references a ClusterPolicy. type: string ruleNames: description: RuleNames identifies the rules to which the exception @@ -42564,11 +38725,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -42576,52 +38736,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -42633,19 +38790,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -42665,38 +38820,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -42708,12 +38860,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -42728,32 +38878,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -42782,11 +38928,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -42794,52 +38939,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -42851,19 +38993,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -42883,38 +39023,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -42926,12 +39063,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -42946,32 +39081,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -42998,14 +39129,19 @@ spec: policies. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -43013,11 +39149,10 @@ spec: description: Spec declares policy exception behaviors. properties: background: - description: Background controls if exceptions are applied to existing - policies during a background scan. Optional. Default value is "true". - The value must be set to "false" if the policy rule uses variables - that are only available in the admission review request (e.g. user - name). + description: |- + Background controls if exceptions are applied to existing policies during a background scan. + Optional. Default value is "true". The value must be set to "false" if the policy rule + uses variables that are only available in the admission review request (e.g. user name). type: boolean exceptions: description: Exceptions is a list policy/rules to be excluded @@ -43025,9 +39160,10 @@ spec: description: Exception stores infos about a policy and rules properties: policyName: - description: PolicyName identifies the policy to which the exception - is applied. The policy name uses the format / - unless it references a ClusterPolicy. + description: |- + PolicyName identifies the policy to which the exception is applied. + The policy name uses the format / unless it + references a ClusterPolicy. type: string ruleNames: description: RuleNames identifies the rules to which the exception @@ -43063,11 +39199,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -43075,52 +39210,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -43132,19 +39264,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -43164,38 +39294,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -43207,12 +39334,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -43227,32 +39352,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -43281,11 +39402,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -43293,52 +39413,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -43350,19 +39467,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -43382,38 +39497,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -43425,12 +39537,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -43445,32 +39555,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -43500,7 +39606,7 @@ metadata: {{- with .Values.annotations }} {{- toYaml . | nindent 4 }} {{- end }} - controller-gen.kubebuilder.io/version: v0.12.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: updaterequests.kyverno.io spec: group: kyverno.io @@ -43544,14 +39650,19 @@ spec: in background. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -43570,9 +39681,9 @@ spec: for the admission request. properties: dryRun: - description: DryRun indicates that modifications will - definitely not be persisted for this request. Defaults - to false. + description: |- + DryRun indicates that modifications will definitely not be persisted for this request. + Defaults to false. type: boolean kind: description: Kind is the fully-qualified type of object @@ -43590,10 +39701,9 @@ spec: - version type: object name: - description: Name is the name of the object as presented - in the request. On a CREATE operation, the client may - omit name and rely on the server to generate the name. If - that is the case, this field will contain an empty string. + description: |- + Name is the name of the object as presented in the request. On a CREATE operation, the client may omit name and + rely on the server to generate the name. If that is the case, this field will contain an empty string. type: string namespace: description: Namespace is the namespace associated with @@ -43609,38 +39719,33 @@ spec: type: object x-kubernetes-preserve-unknown-fields: true operation: - description: Operation is the operation being performed. - This may be different than the operation requested. - e.g. a patch can result in either a CREATE or UPDATE - Operation. + description: |- + Operation is the operation being performed. This may be different than the operation + requested. e.g. a patch can result in either a CREATE or UPDATE Operation. type: string options: - description: Options is the operation option structure - of the operation being performed. e.g. `meta.k8s.io/v1.DeleteOptions` - or `meta.k8s.io/v1.CreateOptions`. This may be different - than the options the caller provided. e.g. for a patch - request the performed Operation might be a CREATE, in - which case the Options will a `meta.k8s.io/v1.CreateOptions` - even though the caller provided `meta.k8s.io/v1.PatchOptions`. + description: |- + Options is the operation option structure of the operation being performed. + e.g. `meta.k8s.io/v1.DeleteOptions` or `meta.k8s.io/v1.CreateOptions`. This may be + different than the options the caller provided. e.g. for a patch request the performed + Operation might be a CREATE, in which case the Options will a + `meta.k8s.io/v1.CreateOptions` even though the caller provided `meta.k8s.io/v1.PatchOptions`. type: object x-kubernetes-preserve-unknown-fields: true requestKind: - description: "RequestKind is the fully-qualified type - of the original API request (for example, v1.Pod or - autoscaling.v1.Scale). If this is specified and differs - from the value in \"kind\", an equivalent match and - conversion was performed. \n For example, if deployments - can be modified via apps/v1 and apps/v1beta1, and a - webhook registered a rule of `apiGroups:[\"apps\"], - apiVersions:[\"v1\"], resources: [\"deployments\"]` - and `matchPolicy: Equivalent`, an API request to apps/v1beta1 - deployments would be converted and sent to the webhook - with `kind: {group:\"apps\", version:\"v1\", kind:\"Deployment\"}` - (matching the rule the webhook registered for), and - `requestKind: {group:\"apps\", version:\"v1beta1\", - kind:\"Deployment\"}` (indicating the kind of the original - API request). \n See documentation for the \"matchPolicy\" - field in the webhook configuration type for more details." + description: |- + RequestKind is the fully-qualified type of the original API request (for example, v1.Pod or autoscaling.v1.Scale). + If this is specified and differs from the value in "kind", an equivalent match and conversion was performed. + + + For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of + `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]` and `matchPolicy: Equivalent`, + an API request to apps/v1beta1 deployments would be converted and sent to the webhook + with `kind: {group:"apps", version:"v1", kind:"Deployment"}` (matching the rule the webhook registered for), + and `requestKind: {group:"apps", version:"v1beta1", kind:"Deployment"}` (indicating the kind of the original API request). + + + See documentation for the "matchPolicy" field in the webhook configuration type for more details. properties: group: type: string @@ -43654,22 +39759,19 @@ spec: - version type: object requestResource: - description: "RequestResource is the fully-qualified resource - of the original API request (for example, v1.pods). - If this is specified and differs from the value in \"resource\", - an equivalent match and conversion was performed. \n - For example, if deployments can be modified via apps/v1 - and apps/v1beta1, and a webhook registered a rule of - `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: - [\"deployments\"]` and `matchPolicy: Equivalent`, an - API request to apps/v1beta1 deployments would be converted - and sent to the webhook with `resource: {group:\"apps\", - version:\"v1\", resource:\"deployments\"}` (matching - the resource the webhook registered for), and `requestResource: - {group:\"apps\", version:\"v1beta1\", resource:\"deployments\"}` - (indicating the resource of the original API request). - \n See documentation for the \"matchPolicy\" field in - the webhook configuration type." + description: |- + RequestResource is the fully-qualified resource of the original API request (for example, v1.pods). + If this is specified and differs from the value in "resource", an equivalent match and conversion was performed. + + + For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of + `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]` and `matchPolicy: Equivalent`, + an API request to apps/v1beta1 deployments would be converted and sent to the webhook + with `resource: {group:"apps", version:"v1", resource:"deployments"}` (matching the resource the webhook registered for), + and `requestResource: {group:"apps", version:"v1beta1", resource:"deployments"}` (indicating the resource of the original API request). + + + See documentation for the "matchPolicy" field in the webhook configuration type. properties: group: type: string @@ -43683,12 +39785,10 @@ spec: - version type: object requestSubResource: - description: RequestSubResource is the name of the subresource - of the original API request, if any (for example, "status" - or "scale") If this is specified and differs from the - value in "subResource", an equivalent match and conversion - was performed. See documentation for the "matchPolicy" - field in the webhook configuration type. + description: |- + RequestSubResource is the name of the subresource of the original API request, if any (for example, "status" or "scale") + If this is specified and differs from the value in "subResource", an equivalent match and conversion was performed. + See documentation for the "matchPolicy" field in the webhook configuration type. type: string resource: description: Resource is the fully-qualified resource @@ -43710,14 +39810,11 @@ spec: if any (for example, "status" or "scale") type: string uid: - description: UID is an identifier for the individual request/response. - It allows us to distinguish instances of requests which - are otherwise identical (parallel requests, requests - when earlier requests did not modify etc) The UID is - meant to track the round trip (request/response) between - the KAS and the WebHook, not the user request. It is - suitable for correlating log entries between the webhook - and apiserver, for either auditing or debugging. + description: |- + UID is an identifier for the individual request/response. It allows us to distinguish instances of requests which are + otherwise identical (parallel requests, requests when earlier requests did not modify etc) + The UID is meant to track the round trip (request/response) between the KAS and the WebHook, not the user request. + It is suitable for correlating log entries between the webhook and apiserver, for either auditing or debugging. type: string userInfo: description: UserInfo is information about the requesting @@ -43740,10 +39837,10 @@ spec: type: string type: array uid: - description: A unique value that identifies this user - across time. If this user is deleted and another - user by the same name is added, they will have different - UIDs. + description: |- + A unique value that identifies this user across time. If this user is + deleted and another user by the same name is added, they will have + different UIDs. type: string username: description: The name that uniquely identifies this @@ -43799,10 +39896,10 @@ spec: type: string type: array uid: - description: A unique value that identifies this user - across time. If this user is deleted and another user - by the same name is added, they will have different - UIDs. + description: |- + A unique value that identifies this user across time. If this user is + deleted and another user by the same name is added, they will have + different UIDs. type: string username: description: The name that uniquely identifies this user @@ -43848,8 +39945,9 @@ spec: description: Rule is the associate rule name of the current UR. type: string synchronize: - description: Synchronize represents the sync behavior of the corresponding - rule Optional. Defaults to "false" if not specified. + description: |- + Synchronize represents the sync behavior of the corresponding rule + Optional. Defaults to "false" if not specified. type: boolean required: - context @@ -43862,8 +39960,9 @@ spec: description: Status contains statistics related to update request. properties: generatedResources: - description: This will track the resources that are updated by the - generate Policy. Will be used during clean up resources. + description: |- + This will track the resources that are updated by the generate Policy. + Will be used during clean up resources. items: properties: apiVersion: @@ -43912,7 +40011,7 @@ metadata: {{- with .Values.annotations }} {{- toYaml . | nindent 4 }} {{- end }} - controller-gen.kubebuilder.io/version: v0.12.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: clusterpolicyreports.wgpolicyk8s.io spec: group: wgpolicyk8s.io @@ -43957,14 +40056,19 @@ spec: API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -43991,35 +40095,35 @@ spec: policy rule type: object resourceSelector: - description: SubjectSelector is an optional label selector for checked - Kubernetes resources. For example, a policy result may apply to - all pods that match a label. Either a Subject or a SubjectSelector - can be specified. If neither are provided, the result is assumed - to be for the policy report scope. + description: |- + SubjectSelector is an optional label selector for checked Kubernetes resources. + For example, a policy result may apply to all pods that match a label. + Either a Subject or a SubjectSelector can be specified. + If neither are provided, the result is assumed to be for the policy report scope. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that - contains values, a key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the - operator is In or NotIn, the values array must be non-empty. - If the operator is Exists or DoesNotExist, the values - array must be empty. This array is replaced during a - strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -44031,11 +40135,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -44043,63 +40146,63 @@ spec: description: Subjects is an optional reference to the checked Kubernetes resources items: - description: "ObjectReference contains enough information to let - you inspect or modify the referred object. --- New uses of this - type are discouraged because of difficulty describing its usage - when embedded in APIs. 1. Ignored fields. It includes many - fields which are not generally honored. For instance, ResourceVersion - and FieldPath are both very rarely valid in actual usage. 2. - Invalid usage help. It is impossible to add specific help for - individual usage. In most embedded usages, there are particular - restrictions like, \"must refer only to types A and B\" or \"UID - not honored\" or \"name must be restricted\". Those cannot be - well described when embedded. 3. Inconsistent validation. Because - the usages are different, the validation rules are different - by usage, which makes it hard for users to predict what will - happen. 4. The fields are both imprecise and overly precise. - \ Kind is not a precise mapping to a URL. This can produce ambiguity - during interpretation and require a REST mapping. In most cases, - the dependency is on the group,resource tuple and the version - of the actual struct is irrelevant. 5. We cannot easily change - it. Because this type is embedded in many locations, updates - to this type will affect numerous schemas. Don't make new APIs - embed an underspecified API type they do not control. \n Instead - of using this type, create a locally provided and used type - that is well-focused on your reference. For example, ServiceReferences - for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 - ." + description: |- + ObjectReference contains enough information to let you inspect or modify the referred object. + --- + New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. + 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. + 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular + restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". + Those cannot be well described when embedded. + 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. + 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity + during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple + and the version of the actual struct is irrelevant. + 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type + will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control. + + + Instead of using this type, create a locally provided and used type that is well-focused on your reference. + For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 . properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead - of an entire object, this string should contain a valid - JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within - a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" - (container with index 2 in this pod). This syntax is chosen - only to have some well-defined way of referencing a part - of an object. TODO: this design is not final and this field - is subject to change in the future.' + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + TODO: this design is not final and this field is subject to change in the future. type: string kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ type: string resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency type: string uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids type: string type: object x-kubernetes-map-type: atomic @@ -44137,15 +40240,16 @@ spec: description: Timestamp indicates the time the result was found properties: nanos: - description: Non-negative fractions of a second at nanosecond - resolution. Negative second values with fractions must still - have non-negative nanos values that count forward in time. - Must be from 0 to 999,999,999 inclusive. This field may be - limited in precision depending on context. + description: |- + Non-negative fractions of a second at nanosecond resolution. Negative + second values with fractions must still have non-negative nanos values + that count forward in time. Must be from 0 to 999,999,999 + inclusive. This field may be limited in precision depending on context. format: int32 type: integer seconds: - description: Represents seconds of UTC time since Unix epoch + description: |- + Represents seconds of UTC time since Unix epoch 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to 9999-12-31T23:59:59Z inclusive. format: int64 @@ -44166,61 +40270,71 @@ spec: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead of an entire - object, this string should contain a valid JSON/Go field access - statement, such as desiredState.manifest.containers[2]. For example, - if the object reference is to a container within a pod, this would - take on a value like: "spec.containers{name}" (where "name" refers - to the name of the container that triggered the event) or if no - container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined - way of referencing a part of an object. TODO: this design is not - final and this field is subject to change in the future.' + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + TODO: this design is not final and this field is subject to change in the future. type: string kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ type: string resourceVersion: - description: 'Specific resourceVersion to which this reference is - made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency type: string uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids type: string type: object x-kubernetes-map-type: atomic scopeSelector: - description: ScopeSelector is an optional selector for multiple scopes - (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector - should be specified. + description: |- + ScopeSelector is an optional selector for multiple scopes (e.g. Pods). + Either one of, or none of, but not both of, Scope or ScopeSelector should be specified. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains - values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set - of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator - is In or NotIn, the values array must be non-empty. If the - operator is Exists or DoesNotExist, the values array must - be empty. This array is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -44232,10 +40346,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} - in the matchLabels map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", and the values array - contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -44277,7 +40391,7 @@ metadata: {{- with .Values.annotations }} {{- toYaml . | nindent 4 }} {{- end }} - controller-gen.kubebuilder.io/version: v0.12.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: policyreports.wgpolicyk8s.io spec: group: wgpolicyk8s.io @@ -44321,14 +40435,19 @@ spec: description: PolicyReport is the Schema for the policyreports API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -44355,35 +40474,35 @@ spec: policy rule type: object resourceSelector: - description: SubjectSelector is an optional label selector for checked - Kubernetes resources. For example, a policy result may apply to - all pods that match a label. Either a Subject or a SubjectSelector - can be specified. If neither are provided, the result is assumed - to be for the policy report scope. + description: |- + SubjectSelector is an optional label selector for checked Kubernetes resources. + For example, a policy result may apply to all pods that match a label. + Either a Subject or a SubjectSelector can be specified. + If neither are provided, the result is assumed to be for the policy report scope. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that - contains values, a key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the - operator is In or NotIn, the values array must be non-empty. - If the operator is Exists or DoesNotExist, the values - array must be empty. This array is replaced during a - strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -44395,11 +40514,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -44407,63 +40525,63 @@ spec: description: Subjects is an optional reference to the checked Kubernetes resources items: - description: "ObjectReference contains enough information to let - you inspect or modify the referred object. --- New uses of this - type are discouraged because of difficulty describing its usage - when embedded in APIs. 1. Ignored fields. It includes many - fields which are not generally honored. For instance, ResourceVersion - and FieldPath are both very rarely valid in actual usage. 2. - Invalid usage help. It is impossible to add specific help for - individual usage. In most embedded usages, there are particular - restrictions like, \"must refer only to types A and B\" or \"UID - not honored\" or \"name must be restricted\". Those cannot be - well described when embedded. 3. Inconsistent validation. Because - the usages are different, the validation rules are different - by usage, which makes it hard for users to predict what will - happen. 4. The fields are both imprecise and overly precise. - \ Kind is not a precise mapping to a URL. This can produce ambiguity - during interpretation and require a REST mapping. In most cases, - the dependency is on the group,resource tuple and the version - of the actual struct is irrelevant. 5. We cannot easily change - it. Because this type is embedded in many locations, updates - to this type will affect numerous schemas. Don't make new APIs - embed an underspecified API type they do not control. \n Instead - of using this type, create a locally provided and used type - that is well-focused on your reference. For example, ServiceReferences - for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 - ." + description: |- + ObjectReference contains enough information to let you inspect or modify the referred object. + --- + New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. + 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. + 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular + restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". + Those cannot be well described when embedded. + 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. + 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity + during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple + and the version of the actual struct is irrelevant. + 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type + will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control. + + + Instead of using this type, create a locally provided and used type that is well-focused on your reference. + For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 . properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead - of an entire object, this string should contain a valid - JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within - a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" - (container with index 2 in this pod). This syntax is chosen - only to have some well-defined way of referencing a part - of an object. TODO: this design is not final and this field - is subject to change in the future.' + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + TODO: this design is not final and this field is subject to change in the future. type: string kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ type: string resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency type: string uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids type: string type: object x-kubernetes-map-type: atomic @@ -44501,15 +40619,16 @@ spec: description: Timestamp indicates the time the result was found properties: nanos: - description: Non-negative fractions of a second at nanosecond - resolution. Negative second values with fractions must still - have non-negative nanos values that count forward in time. - Must be from 0 to 999,999,999 inclusive. This field may be - limited in precision depending on context. + description: |- + Non-negative fractions of a second at nanosecond resolution. Negative + second values with fractions must still have non-negative nanos values + that count forward in time. Must be from 0 to 999,999,999 + inclusive. This field may be limited in precision depending on context. format: int32 type: integer seconds: - description: Represents seconds of UTC time since Unix epoch + description: |- + Represents seconds of UTC time since Unix epoch 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to 9999-12-31T23:59:59Z inclusive. format: int64 @@ -44530,61 +40649,71 @@ spec: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead of an entire - object, this string should contain a valid JSON/Go field access - statement, such as desiredState.manifest.containers[2]. For example, - if the object reference is to a container within a pod, this would - take on a value like: "spec.containers{name}" (where "name" refers - to the name of the container that triggered the event) or if no - container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined - way of referencing a part of an object. TODO: this design is not - final and this field is subject to change in the future.' + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + TODO: this design is not final and this field is subject to change in the future. type: string kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ type: string resourceVersion: - description: 'Specific resourceVersion to which this reference is - made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency type: string uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids type: string type: object x-kubernetes-map-type: atomic scopeSelector: - description: ScopeSelector is an optional selector for multiple scopes - (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector - should be specified. + description: |- + ScopeSelector is an optional selector for multiple scopes (e.g. Pods). + Either one of, or none of, but not both of, Scope or ScopeSelector should be specified. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains - values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set - of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator - is In or NotIn, the values array must be non-empty. If the - operator is Exists or DoesNotExist, the values array must - be empty. This array is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -44596,10 +40725,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} - in the matchLabels map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", and the values array - contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic diff --git a/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_clusterpolicies.yaml b/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_clusterpolicies.yaml index 0502e00a1842..9c3308bd6a30 100644 --- a/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_clusterpolicies.yaml +++ b/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_clusterpolicies.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: clusterpolicies.kyverno.io spec: group: kyverno.io @@ -64,14 +64,19 @@ spec: for matching resources. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -80,95 +85,99 @@ spec: properties: admission: default: true - description: Admission controls if rules are applied during admission. + description: |- + Admission controls if rules are applied during admission. Optional. Default value is "true". type: boolean applyRules: - description: ApplyRules controls how rules in a policy are applied. - Rule are processed in the order of declaration. When set to `One` - processing stops after a rule has been applied i.e. the rule matches - and results in a pass, fail, or error. When set to `All` all rules - in the policy are processed. The default is `All`. + description: |- + ApplyRules controls how rules in a policy are applied. Rule are processed in + the order of declaration. When set to `One` processing stops after a rule has + been applied i.e. the rule matches and results in a pass, fail, or error. When + set to `All` all rules in the policy are processed. The default is `All`. enum: - All - One type: string background: default: true - description: Background controls if rules are applied to existing - resources during a background scan. Optional. Default value is "true". - The value must be set to "false" if the policy rule uses variables - that are only available in the admission review request (e.g. user - name). + description: |- + Background controls if rules are applied to existing resources during a background scan. + Optional. Default value is "true". The value must be set to "false" if the policy rule + uses variables that are only available in the admission review request (e.g. user name). type: boolean failurePolicy: - description: FailurePolicy defines how unexpected policy errors and - webhook response timeout errors are handled. Rules within the same - policy share the same failure behavior. This field should not be - accessed directly, instead `GetFailurePolicy()` should be used. + description: |- + FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. + Rules within the same policy share the same failure behavior. + This field should not be accessed directly, instead `GetFailurePolicy()` should be used. Allowed values are Ignore or Fail. Defaults to Fail. enum: - Ignore - Fail type: string generateExisting: - description: GenerateExisting controls whether to trigger generate - rule in existing resources If is set to "true" generate rule will - be triggered and applied to existing matched resources. Defaults - to "false" if not specified. + description: |- + GenerateExisting controls whether to trigger generate rule in existing resources + If is set to "true" generate rule will be triggered and applied to existing matched resources. + Defaults to "false" if not specified. type: boolean generateExistingOnPolicyUpdate: description: Deprecated, use generateExisting instead type: boolean mutateExistingOnPolicyUpdate: - description: MutateExistingOnPolicyUpdate controls if a mutateExisting - policy is applied on policy events. Default value is "false". + description: |- + MutateExistingOnPolicyUpdate controls if a mutateExisting policy is applied on policy events. + Default value is "false". type: boolean rules: - description: Rules is a list of Rule instances. A Policy contains - multiple rules and each rule can validate, mutate, or generate resources. + description: |- + Rules is a list of Rule instances. A Policy contains multiple rules and + each rule can validate, mutate, or generate resources. items: - description: Rule defines a validation, mutation, or generation - control for matching resources. Each rules contains a match declaration - to select resources, and an optional exclude declaration to specify - which resources to exclude. + description: |- + Rule defines a validation, mutation, or generation control for matching resources. + Each rules contains a match declaration to select resources, and an optional exclude + declaration to specify which resources to exclude. properties: celPreconditions: - description: CELPreconditions are used to determine if a policy - rule should be applied by evaluating a set of CEL conditions. - It can only be used with the validate.cel subrule + description: |- + CELPreconditions are used to determine if a policy rule should be applied by evaluating a + set of CEL conditions. It can only be used with the validate.cel subrule items: description: MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook. properties: expression: - description: "Expression represents the expression which - will be evaluated by CEL. Must evaluate to bool. CEL - expressions have access to the contents of the AdmissionRequest - and Authorizer, organized into CEL variables: \n 'object' - - The object from the incoming request. The value is - null for DELETE requests. 'oldObject' - The existing - object. The value is null for CREATE requests. 'request' - - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). - 'authorizer' - A CEL Authorizer. May be used to perform - authorization checks for the principal (user or service - account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - 'authorizer.requestResource' - A CEL ResourceCheck constructed - from the 'authorizer' and configured with the request - resource. Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ - \n Required." + description: |- + Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. + CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: + + + 'object' - The object from the incoming request. The value is null for DELETE requests. + 'oldObject' - The existing object. The value is null for CREATE requests. + 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. + See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the + request resource. + Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ + + + Required. type: string name: - description: "Name is an identifier for this match condition, - used for strategic merging of MatchConditions, as well - as providing an identifier for logging purposes. A good - name should be descriptive of the associated expression. - Name must be a qualified name consisting of alphanumeric - characters, '-', '_' or '.', and must start and end - with an alphanumeric character (e.g. 'MyName', or 'my.name', - \ or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') - with an optional DNS subdomain prefix and '/' (e.g. - 'example.com/MyName') \n Required." + description: |- + Name is an identifier for this match condition, used for strategic merging of MatchConditions, + as well as providing an identifier for logging purposes. A good name should be descriptive of + the associated expression. + Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and + must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or + '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an + optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') + + + Required. type: string required: - expression @@ -179,15 +188,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data sources - to a rule Context. Either a ConfigMap reference or a APILookup - must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the Kubernetes - API server, or other JSON web service. The data returned - is stored in the context with the name for the context - entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data sent to @@ -209,13 +217,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the JSON response - returned from the server. For example a JMESPath - of "items | length(@)" applied to the API server - response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across - all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -230,22 +237,24 @@ spec: service properties: caBundle: - description: CABundle is a PEM encoded CA bundle - which will be used to validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web service URL. - A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to be used in - the HTTP GET or POST request to the Kubernetes API - server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used by the - `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -262,8 +271,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests to an OCI/Docker - V2 registry to fetch image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials provides credentials @@ -274,10 +284,9 @@ spec: access to a registry. type: boolean providers: - description: 'Providers specifies a list of OCI - Registry names, whose authentication providers - are provided. It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers @@ -291,21 +300,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets - that are provided for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the ImageData struct - returned as a result of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference to a container - image in the registry. Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -318,13 +329,14 @@ spec: variable that can be defined inline. properties: default: - description: Default is an optional arbitrary JSON - object that the variable may take if the JMESPath + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath Expression - that can be used to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON object representable @@ -334,10 +346,10 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when this policy rule - should not be applied. The exclude criteria can include resource - information (e.g. kind, name, namespace, labels) and admission - review request information like the name or role. + description: |- + ExcludeResources defines when this policy rule should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. properties: all: description: All allows specifying resources which will @@ -359,11 +371,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -371,58 +382,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -435,20 +437,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -468,42 +467,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -516,12 +508,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -536,32 +526,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -592,11 +577,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -604,58 +588,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -668,20 +643,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -701,42 +673,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -749,12 +714,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -769,32 +732,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -812,20 +770,19 @@ spec: type: string type: array resources: - description: ResourceDescription contains information about - the resource being created or modified. Requires at least - one tag to be specified when under MatchResources. Specifying - ResourceDescription directly under match is being deprecated. + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. Please specify under "any" or "all" instead. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -833,52 +790,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -890,19 +844,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -922,38 +874,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -965,12 +914,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -985,32 +932,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -1026,10 +969,10 @@ spec: description: APIVersion specifies resource apiVersion. type: string clone: - description: Clone specifies the source resource used to - populate each generated resource. At most one of Data - or Clone can be specified. If neither are provided, the - generated resource will be created with default data only. + description: |- + Clone specifies the source resource used to populate each generated resource. + At most one of Data or Clone can be specified. If neither are provided, the generated + resource will be created with default data only. properties: name: description: Name specifies name of the resource. @@ -1051,34 +994,33 @@ spec: description: Namespace specifies source resource namespace. type: string selector: - description: Selector is a label selector. Label keys - and values in `matchLabels`. wildcard characters are - not supported. + description: |- + Selector is a label selector. Label keys and values in `matchLabels`. + wildcard characters are not supported. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1090,21 +1032,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object data: - description: Data provides the resource declaration used - to populate each generated resource. At most one of Data - or Clone must be specified. If neither are provided, the - generated resource will be created with default data only. + description: |- + Data provides the resource declaration used to populate each generated resource. + At most one of Data or Clone must be specified. If neither are provided, the generated + resource will be created with default data only. x-kubernetes-preserve-unknown-fields: true kind: description: Kind specifies resource kind. @@ -1116,12 +1056,11 @@ spec: description: Namespace specifies resource namespace. type: string synchronize: - description: Synchronize controls if generated resources - should be kept in-sync with their source resource. If - Synchronize is set to "true" changes to generated resources - will be overwritten with resource data from Data or the - resource specified in the Clone declaration. Optional. - Defaults to "false" if not specified. + description: |- + Synchronize controls if generated resources should be kept in-sync with their source resource. + If Synchronize is set to "true" changes to generated resources will be overwritten with resource + data from Data or the resource specified in the Clone declaration. + Optional. Defaults to "false" if not specified. type: boolean uid: description: UID specifies the resource uid. @@ -1132,50 +1071,47 @@ spec: items: properties: jmesPath: - description: 'JMESPath is an optional JMESPath expression - to apply to the image value. This is useful when the - extracted image begins with a prefix like ''docker://''. - The ''trim_prefix'' function may be used to trim the - prefix: trim_prefix(@, ''docker://''). Note - Image - digest mutation may not be used when applying a JMESPAth - to an image.' + description: |- + JMESPath is an optional JMESPath expression to apply to the image value. + This is useful when the extracted image begins with a prefix like 'docker://'. + The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://'). + Note - Image digest mutation may not be used when applying a JMESPAth to an image. type: string key: - description: Key is an optional name of the field within - 'path' that will be used to uniquely identify an image. + description: |- + Key is an optional name of the field within 'path' that will be used to uniquely identify an image. Note - this field MUST be unique. type: string name: - description: Name is the entry the image will be available - under 'images.' in the context. If this field - is not defined, image entries will appear under 'images.custom'. + description: |- + Name is the entry the image will be available under 'images.' in the context. + If this field is not defined, image entries will appear under 'images.custom'. type: string path: - description: Path is the path to the object containing - the image field in a custom resource. It should be - slash-separated. Each slash-separated key must be - a valid YAML key or a wildcard '*'. Wildcard keys - are expanded in case of arrays or objects. + description: |- + Path is the path to the object containing the image field in a custom resource. + It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'. + Wildcard keys are expanded in case of arrays or objects. type: string value: - description: Value is an optional name of the field - within 'path' that points to the image URI. This is - useful when a custom 'key' is also defined. + description: |- + Value is an optional name of the field within 'path' that points to the image URI. + This is useful when a custom 'key' is also defined. type: string required: - path type: object type: array - description: ImageExtractors defines a mapping from kinds to - ImageExtractorConfigs. This config is only valid for verifyImages - rules. + description: |- + ImageExtractors defines a mapping from kinds to ImageExtractorConfigs. + This config is only valid for verifyImages rules. type: object match: - description: MatchResources defines when this policy rule should - be applied. The match criteria can include resource information - (e.g. kind, name, namespace, labels) and admission review - request information like the user name or role. At least one - kind is required. + description: |- + MatchResources defines when this policy rule should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. + At least one kind is required. properties: all: description: All allows specifying resources which will @@ -1197,11 +1133,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -1209,58 +1144,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -1273,20 +1199,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -1306,42 +1229,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -1354,12 +1270,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -1374,32 +1288,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -1430,11 +1339,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -1442,58 +1350,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -1506,20 +1405,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -1539,42 +1435,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -1587,12 +1476,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -1607,32 +1494,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -1650,20 +1532,19 @@ spec: type: string type: array resources: - description: ResourceDescription contains information about - the resource being created or modified. Requires at least - one tag to be specified when under MatchResources. Specifying - ResourceDescription directly under match is being deprecated. + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. Please specify under "any" or "all" instead. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -1671,52 +1552,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1728,19 +1606,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -1760,38 +1636,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1803,12 +1676,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -1823,32 +1694,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -1874,15 +1741,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data @@ -1904,14 +1770,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -1926,25 +1790,24 @@ spec: JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate the server certificate. type: string url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -1962,8 +1825,8 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. properties: imageRegistryCredentials: @@ -1976,11 +1839,9 @@ spec: insecure access to a registry. type: boolean providers: - description: 'Providers specifies a - list of OCI Registry names, whose - authentication providers are provided. - It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -1994,23 +1855,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list - of secrets that are provided for credentials. + description: |- + Secrets specifies a list of secrets that are provided for credentials. Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -2023,15 +1884,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON @@ -2044,42 +1904,41 @@ spec: description: Foreach declares a nested foreach iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which the - validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string order: - description: Order defines the iteration order on - the list. Can be Ascending to iterate from first - to last element or Descending to iterate in from - last to first element. + description: |- + Order defines the iteration order on the list. + Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element. enum: - Ascending - Descending type: string patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge - patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 - JSON Patch declarations used to modify resources. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, all of the conditions need to - pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -2093,13 +1952,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -2119,20 +1976,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, at least one of the conditions - need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -2146,13 +2001,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -2172,10 +2025,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -2184,14 +2036,15 @@ spec: type: object type: array patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge patch - used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON - Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string targets: description: Targets defines the target resources to be @@ -2207,15 +2060,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data @@ -2237,14 +2089,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -2259,25 +2109,24 @@ spec: JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate the server certificate. type: string url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -2295,8 +2144,8 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. properties: imageRegistryCredentials: @@ -2309,11 +2158,9 @@ spec: insecure access to a registry. type: boolean providers: - description: 'Providers specifies a - list of OCI Registry names, whose - authentication providers are provided. - It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -2327,23 +2174,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list - of secrets that are provided for credentials. + description: |- + Secrets specifies a list of secrets that are provided for credentials. Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -2356,15 +2203,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON @@ -2383,13 +2229,12 @@ spec: description: Namespace specifies resource namespace. type: string preconditions: - description: 'Preconditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. A direct list - of conditions (without `any` or `all` statements - is supported for backwards compatibility but will - be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true uid: description: UID specifies the resource uid. @@ -2403,27 +2248,32 @@ spec: maxLength: 63 type: string preconditions: - description: 'Preconditions are used to determine if a policy - rule should be applied by evaluating a set of conditions. - The declaration can contain nested `any` or `all` statements. - A direct list of conditions (without `any` or `all` statements - is supported for backwards compatibility but will be deprecated - in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true skipBackgroundRequests: default: true - description: SkipBackgroundRequests bypasses admission requests - that are sent by the background controller. The default value - is set to "true", it must be set to "false" to apply generate - and mutateExisting rules to those requests. + description: |- + SkipBackgroundRequests bypasses admission requests that are sent by the background controller. + The default value is set to "true", it must be set to "false" to apply + generate and mutateExisting rules to those requests. type: boolean validate: description: Validation is used to validate matching resources. properties: + allowExistingViolations: + default: true + description: AllowExistingViolations allows prexisting violating + resources to continue violating a policy. + type: boolean anyPattern: - description: AnyPattern specifies list of validation patterns. - At least one of the patterns must be satisfied for the - validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true cel: description: CEL allows validation checks using the Common @@ -2438,39 +2288,45 @@ spec: an audit annotation for an API request. properties: key: - description: "key specifies the audit annotation - key. The audit annotation keys of a ValidatingAdmissionPolicy - must be unique. The key must be a qualified - name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than - 63 bytes in length. \n The key is combined with - the resource name of the ValidatingAdmissionPolicy - to construct an audit annotation key: \"{ValidatingAdmissionPolicy - name}/{key}\". \n If an admission webhook uses - the same resource name as this ValidatingAdmissionPolicy - and the same audit annotation key, the annotation - key will be identical. In this case, the first - annotation written with the key will be included - in the audit event and all subsequent annotations - with the same key will be discarded. \n Required." + description: |- + key specifies the audit annotation key. The audit annotation keys of + a ValidatingAdmissionPolicy must be unique. The key must be a qualified + name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length. + + + The key is combined with the resource name of the + ValidatingAdmissionPolicy to construct an audit annotation key: + "{ValidatingAdmissionPolicy name}/{key}". + + + If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy + and the same audit annotation key, the annotation key will be identical. + In this case, the first annotation written with the key will be included + in the audit event and all subsequent annotations with the same key + will be discarded. + + + Required. type: string valueExpression: - description: "valueExpression represents the expression - which is evaluated by CEL to produce an audit - annotation value. The expression must evaluate - to either a string or null value. If the expression - evaluates to a string, the audit annotation - is included with the string value. If the expression - evaluates to null or empty string the audit - annotation will be omitted. The valueExpression - may be no longer than 5kb in length. If the - result of the valueExpression is more than 10kb - in length, it will be truncated to 10kb. \n - If multiple ValidatingAdmissionPolicyBinding - resources match an API request, then the valueExpression - will be evaluated for each binding. All unique - values produced by the valueExpressions will - be joined together in a comma-separated list. - \n Required." + description: |- + valueExpression represents the expression which is evaluated by CEL to + produce an audit annotation value. The expression must evaluate to either + a string or null value. If the expression evaluates to a string, the + audit annotation is included with the string value. If the expression + evaluates to null or empty string the audit annotation will be omitted. + The valueExpression may be no longer than 5kb in length. + If the result of the valueExpression is more than 10kb in length, it + will be truncated to 10kb. + + + If multiple ValidatingAdmissionPolicyBinding resources match an + API request, then the valueExpression will be evaluated for + each binding. All unique values produced by the valueExpressions + will be joined together in a comma-separated list. + + + Required. type: string required: - key @@ -2486,113 +2342,99 @@ spec: properties: expression: description: "Expression represents the expression - which will be evaluated by CEL. ref: https://github.com/google/cel-spec - CEL expressions have access to the contents - of the API request/response, organized into - CEL variables as well as some other useful variables: - \n - 'object' - The object from the incoming - request. The value is null for DELETE requests. - - 'oldObject' - The existing object. The value - is null for CREATE requests. - 'request' - Attributes - of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - - 'params' - Parameter resource referred to - by the policy binding being evaluated. Only - populated if the policy has a ParamKind. - 'namespaceObject' + which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL + expressions have access to the contents of the + API request/response, organized into CEL variables + as well as some other useful variables:\n\n\n- + 'object' - The object from the incoming request. + The value is null for DELETE requests.\n- 'oldObject' + - The existing object. The value is null for + CREATE requests.\n- 'request' - Attributes of + the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- + 'params' - Parameter resource referred to by + the policy binding being evaluated. Only populated + if the policy has a ParamKind.\n- 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped - resources. - 'variables' - Map of composited + resources.\n- 'variables' - Map of composited variables, from its name to its lazily evaluated - value. For example, a variable named 'foo' can - be accessed as 'variables.foo'. - 'authorizer' + value.\n For example, a variable named 'foo' + can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) - of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - - 'authorizer.requestResource' - A CEL ResourceCheck + of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured - with the request resource. \n The `apiVersion`, + with the\n request resource.\n\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` - are always accessible from the root of the object. - No other metadata properties are accessible. - \n Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` - are accessible. Accessible property names are + are always accessible from the root of the\nobject. + No other metadata properties are accessible.\n\n\nOnly + property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` + are accessible.\nAccessible property names are escaped according to the following rules when - accessed in the expression: - '__' escapes to - '__underscores__' - '.' escapes to '__dot__' - - '-' escapes to '__dash__' - '/' escapes to - '__slash__' - Property names that exactly match + accessed in the expression:\n- '__' escapes + to '__underscores__'\n- '.' escapes to '__dot__'\n- + '-' escapes to '__dash__'\n- '/' escapes to + '__slash__'\n- Property names that exactly match a CEL RESERVED keyword escape to '__{keyword}__'. - The keywords are: \"true\", \"false\", \"null\", - \"in\", \"as\", \"break\", \"const\", \"continue\", - \"else\", \"for\", \"function\", \"if\", \"import\", - \"let\", \"loop\", \"package\", \"namespace\", - \"return\". Examples: - Expression accessing - a property named \"namespace\": {\"Expression\": - \"object.__namespace__ > 0\"} - Expression accessing - a property named \"x-prop\": {\"Expression\": - \"object.x__dash__prop > 0\"} - Expression accessing - a property named \"redact__d\": {\"Expression\": - \"object.redact__underscores__d > 0\"} \n Equality - on arrays with list type of 'set' or 'map' ignores - element order, i.e. [1, 2] == [2, 1]. Concatenation - on arrays with x-kubernetes-list-type use the - semantics of the list type: - 'set': `X + Y` - performs a union where the array positions of - all elements in `X` are preserved and non-intersecting + The keywords are:\n\t \"true\", \"false\", + \"null\", \"in\", \"as\", \"break\", \"const\", + \"continue\", \"else\", \"for\", \"function\", + \"if\",\n\t \"import\", \"let\", \"loop\", + \"package\", \"namespace\", \"return\".\nExamples:\n + \ - Expression accessing a property named \"namespace\": + {\"Expression\": \"object.__namespace__ > 0\"}\n + \ - Expression accessing a property named \"x-prop\": + {\"Expression\": \"object.x__dash__prop > 0\"}\n + \ - Expression accessing a property named \"redact__d\": + {\"Expression\": \"object.redact__underscores__d + > 0\"}\n\n\nEquality on arrays with list type + of 'set' or 'map' ignores element order, i.e. + [1, 2] == [2, 1].\nConcatenation on arrays with + x-kubernetes-list-type use the semantics of + the list type:\n - 'set': `X + Y` performs + a union where the array positions of all elements + in `X` are preserved and\n non-intersecting elements in `Y` are appended, retaining their - partial order. - 'map': `X + Y` performs a merge - where the array positions of all keys in `X` - are preserved but the values are overwritten - by values in `Y` when the key sets of `X` and - `Y` intersect. Elements in `Y` with non-intersecting - keys are appended, retaining their partial order. - Required." + partial order.\n - 'map': `X + Y` performs + a merge where the array positions of all keys + in `X` are preserved but the values\n are + overwritten by values in `Y` when the key sets + of `X` and `Y` intersect. Elements in `Y` with\n + \ non-intersecting keys are appended, retaining + their partial order.\nRequired." type: string message: - description: 'Message represents the message displayed - when validation fails. The message is required - if the Expression contains line breaks. The - message must not contain line breaks. If unset, - the message is "failed rule: {Rule}". e.g. "must - be a URL with the host matching spec.host" If - the Expression contains line breaks. Message - is required. The message must not contain line - breaks. If unset, the message is "failed Expression: - {Expression}".' + description: |- + Message represents the message displayed when validation fails. The message is required if the Expression contains + line breaks. The message must not contain line breaks. + If unset, the message is "failed rule: {Rule}". + e.g. "must be a URL with the host matching spec.host" + If the Expression contains line breaks. Message is required. + The message must not contain line breaks. + If unset, the message is "failed Expression: {Expression}". type: string messageExpression: - description: 'messageExpression declares a CEL - expression that evaluates to the validation - failure message that is returned when this rule - fails. Since messageExpression is used as a - failure message, it must evaluate to a string. - If both message and messageExpression are present - on a validation, then messageExpression will - be used if validation fails. If messageExpression - results in a runtime error, the runtime error - is logged, and the validation failure message - is produced as if the messageExpression field - were unset. If messageExpression evaluates to - an empty string, a string with only spaces, - or a string that contains line breaks, then - the validation failure message will also be - produced as if the messageExpression field were - unset, and the fact that messageExpression produced - an empty string/string with only spaces/string - with line breaks will be logged. messageExpression - has access to all the same variables as the - `expression` except for ''authorizer'' and ''authorizer.requestResource''. - Example: "object.x must be less than max ("+string(params.max)+")"' + description: |- + messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. + Since messageExpression is used as a failure message, it must evaluate to a string. + If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. + If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced + as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string + that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and + the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. + messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'. + Example: + "object.x must be less than max ("+string(params.max)+")" type: string reason: - description: 'Reason represents a machine-readable - description of why this validation failed. If - this is the first validation in the list to - fail, this reason, as well as the corresponding - HTTP response code, are used in the HTTP response - to the client. The currently supported reasons - are: "Unauthorized", "Forbidden", "Invalid", - "RequestEntityTooLarge". If not set, StatusReasonInvalid - is used in the response to the client.' + description: |- + Reason represents a machine-readable description of why this validation failed. + If this is the first validation in the list to fail, this reason, as well as the + corresponding HTTP response code, are used in the + HTTP response to the client. + The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge". + If not set, StatusReasonInvalid is used in the response to the client. type: string required: - expression @@ -2603,13 +2445,15 @@ spec: Version. properties: apiVersion: - description: APIVersion is the API group version - the resources belong to. In format of "group/version". + description: |- + APIVersion is the API group version the resources belong to. + In format of "group/version". Required. type: string kind: - description: Kind is the API kind the resources - belong to. Required. + description: |- + Kind is the API kind the resources belong to. + Required. type: string type: object x-kubernetes-map-type: atomic @@ -2617,77 +2461,82 @@ spec: description: ParamRef references a parameter resource. properties: name: - description: "`name` is the name of the resource - being referenced. \n `name` and `selector` are - mutually exclusive properties. If one is set, - the other must be unset." + description: |- + `name` is the name of the resource being referenced. + + + `name` and `selector` are mutually exclusive properties. If one is set, + the other must be unset. type: string namespace: - description: "namespace is the namespace of the - referenced resource. Allows limiting the search - for params to a specific namespace. Applies to - both `name` and `selector` fields. \n A per-namespace - parameter may be used by specifying a namespace-scoped - `paramKind` in the policy and leaving this field - empty. \n - If `paramKind` is cluster-scoped, - this field MUST be unset. Setting this field results - in a configuration error. \n - If `paramKind` - is namespace-scoped, the namespace of the object - being evaluated for admission will be used when - this field is left unset. Take care that if this - is left empty the binding must not match any cluster-scoped - resources, which will result in an error." + description: |- + namespace is the namespace of the referenced resource. Allows limiting + the search for params to a specific namespace. Applies to both `name` and + `selector` fields. + + + A per-namespace parameter may be used by specifying a namespace-scoped + `paramKind` in the policy and leaving this field empty. + + + - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this + field results in a configuration error. + + + - If `paramKind` is namespace-scoped, the namespace of the object being + evaluated for admission will be used when this field is left unset. Take + care that if this is left empty the binding must not match any cluster-scoped + resources, which will result in an error. type: string parameterNotFoundAction: - description: "`parameterNotFoundAction` controls - the behavior of the binding when the resource - exists, and name or selector is valid, but there - are no parameters matched by the binding. If the - value is set to `Allow`, then no matched parameters - will be treated as successful validation by the - binding. If set to `Deny`, then no matched parameters - will be subject to the `failurePolicy` of the - policy. \n Allowed values are `Allow` or `Deny` - Default to `Deny`" + description: |- + `parameterNotFoundAction` controls the behavior of the binding when the resource + exists, and name or selector is valid, but there are no parameters + matched by the binding. If the value is set to `Allow`, then no + matched parameters will be treated as successful validation by the binding. + If set to `Deny`, then no matched parameters will be subject to the + `failurePolicy` of the policy. + + + Allowed values are `Allow` or `Deny` + Default to `Deny` type: string selector: - description: "selector can be used to match multiple - param objects based on their labels. Supply selector: - {} to match all resources of the ParamKind. \n - If multiple params are found, they are all evaluated - with the policy expressions and the results are - ANDed together. \n One of `name` or `selector` - must be set, but `name` and `selector` are mutually - exclusive properties. If one is set, the other - must be unset." + description: |- + selector can be used to match multiple param objects based on their labels. + Supply selector: {} to match all resources of the ParamKind. + + + If multiple params are found, they are all evaluated with the policy expressions + and the results are ANDed together. + + + One of `name` or `selector` must be set, but `name` and `selector` are + mutually exclusive properties. If one is set, the other must be unset. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -2700,40 +2549,34 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object x-kubernetes-map-type: atomic variables: - description: Variables contain definitions of variables - that can be used in composition of other expressions. + description: |- + Variables contain definitions of variables that can be used in composition of other expressions. Each variable is defined as a named CEL expression. - The variables defined here will be available under - `variables` in other expressions of the policy. + The variables defined here will be available under `variables` in other expressions of the policy. items: description: Variable is the definition of a variable that is used for composition. properties: expression: - description: Expression is the expression that - will be evaluated as the value of the variable. - The CEL expression has access to the same identifiers - as the CEL expressions in Validation. + description: |- + Expression is the expression that will be evaluated as the value of the variable. + The CEL expression has access to the same identifiers as the CEL expressions in Validation. type: string name: - description: Name is the name of the variable. - The name must be a valid CEL identifier and - unique among all variables. The variable can - be accessed in other expressions through `variables` - For example, if name is "foo", the variable - will be available as `variables.foo` + description: |- + Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables. + The variable can be accessed in other expressions through `variables` + For example, if name is "foo", the variable will be available as `variables.foo` type: string required: - expression @@ -2746,11 +2589,11 @@ spec: a validation rule. properties: conditions: - description: 'Multiple conditions can be declared under - an `any` or `all` statement. A direct list of conditions - (without `any` or `all` statements) is also supported - for backwards compatibility but will be deprecated - in the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object foreach: @@ -2764,23 +2607,22 @@ spec: the specified logic. properties: anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must be satisfied - for the validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true context: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data @@ -2802,14 +2644,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -2824,25 +2664,24 @@ spec: JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate the server certificate. type: string url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -2860,8 +2699,8 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. properties: imageRegistryCredentials: @@ -2874,11 +2713,9 @@ spec: insecure access to a registry. type: boolean providers: - description: 'Providers specifies a - list of OCI Registry names, whose - authentication providers are provided. - It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -2892,23 +2729,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list - of secrets that are provided for credentials. + description: |- + Secrets specifies a list of secrets that are provided for credentials. Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -2921,15 +2758,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON @@ -2943,47 +2779,43 @@ spec: or fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct - list of conditions (without `any` or `all` statements) - is also supported for backwards compatibility + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object elementScope: - description: ElementScope specifies whether to use - the current list element as the scope for validation. - Defaults to "true" if not specified. When set to - "false", "request.object" is used as the validation - scope within the foreach block to allow referencing - other elements in the subtree. + description: |- + ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified. + When set to "false", "request.object" is used as the validation scope within the foreach + block to allow referencing other elements in the subtree. type: boolean foreach: description: Foreach declares a nested foreach iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which the - validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string pattern: description: Pattern specifies an overlay-style pattern used to check resources. x-kubernetes-preserve-unknown-fields: true preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, all of the conditions need to - pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -2997,13 +2829,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -3023,20 +2853,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, at least one of the conditions - need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -3050,13 +2878,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -3076,10 +2902,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -3101,31 +2926,25 @@ spec: items: properties: count: - description: Count specifies the required number - of entries that must match. If the count is - null, all entries must match (a logical AND). - If the count is 1, at least one entry must match - (a logical OR). If the count contains a value - N, then N must be less than or equal to the - size of entries, and at least N entries must - match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available attestors. - An attestor can be a static key, attributes - for keyless verification, or a nested attestor - declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for image - verification. Every specified key-value - pair must exist and match in the verified - payload. The payload may contain other - key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set of @@ -3146,19 +2965,14 @@ spec: to verify. type: string ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate Timestamps - (SCTs). If the value is unset, the - default behavior by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate - Timestamp (SCT) log to check for - a certificate timestamp. Default - is false. Set to true if this - was opted out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -3166,33 +2980,25 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the root - CA certificate. Optionally may - contain intermediate CA certificates, - and may contain the leaf TSA certificate - if not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use - for a custom Rekor. If set, this - will be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -3203,8 +3009,8 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: @@ -3215,19 +3021,14 @@ spec: signing. type: object ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate Timestamps - (SCTs). If the value is unset, the - default behavior by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate - Timestamp (SCT) log to check for - a certificate timestamp. Default - is false. Set to true if this - was opted out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -3235,14 +3036,10 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the root - CA certificate. Optionally may - contain intermediate CA certificates, - and may contain the leaf TSA certificate - if not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -3250,22 +3047,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use - for a custom Rekor. If set, this - will be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -3275,10 +3068,9 @@ spec: type: string type: object roots: - description: Roots is an optional set - of PEM encoded trusted root certificates. - If not provided, the system roots - are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -3291,19 +3083,14 @@ spec: public keys. properties: ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate Timestamps - (SCTs). If the value is unset, the - default behavior by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate - Timestamp (SCT) log to check for - a certificate timestamp. Default - is false. Set to true if this - was opted out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -3311,57 +3098,41 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the root - CA certificate. Optionally may - contain intermediate CA certificates, - and may contain the leaf TSA certificate - if not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI to - the public key stored in a Key Management - System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image signatures. - The keys can be directly specified - or can be a variable reference to - a key specified in a ConfigMap (see - https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster by - specifying it in the format "k8s:///". - The named Secret must specify a key - `cosign.pub` containing the public - key used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each - key is processed as a separate staticKey - entry (.attestors[*].entries.keys) - within the set of attestors and the - count is applied across the keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use - for a custom Rekor. If set, this - will be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -3395,12 +3166,9 @@ spec: type: string type: object repository: - description: Repository is an optional alternate - OCI repository to use for signatures and - attestations that match this rule. If - specified Repository will override other - OCI image repository locations for this - Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -3441,9 +3209,9 @@ spec: type: object type: array repository: - description: Repository is an optional alternate OCI - repository to use for resource bundle reference. The - repository can be overridden per Attestor or Attestation. + description: |- + Repository is an optional alternate OCI repository to use for resource bundle reference. + The repository can be overridden per Attestor or Attestation. type: string type: object message: @@ -3455,9 +3223,9 @@ spec: used to check resources. x-kubernetes-preserve-unknown-fields: true podSecurity: - description: PodSecurity applies exemptions for Kubernetes - Pod Security admission by specifying exclusions for Pod - Security Standards controls. + description: |- + PodSecurity applies exemptions for Kubernetes Pod Security admission + by specifying exclusions for Pod Security Standards controls. properties: exclude: description: Exclude specifies the Pod Security Standard @@ -3467,8 +3235,9 @@ spec: Security Standard controls to be excluded. properties: controlName: - description: 'ControlName specifies the name of - the Pod Security Standard control. See: https://kubernetes.io/docs/concepts/security/pod-security-standards/' + description: |- + ControlName specifies the name of the Pod Security Standard control. + See: https://kubernetes.io/docs/concepts/security/pod-security-standards/ enum: - HostProcess - Host Namespaces @@ -3487,13 +3256,11 @@ spec: - Running as Non-root user type: string images: - description: 'Images selects matching containers - and applies the container level PSS. Each image - is the image name consisting of the registry - address, repository, image, and tag. Empty list - matches no containers, PSS checks are applied - at the pod level only. Wildcards (''*'' and - ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' + description: |- + Images selects matching containers and applies the container level PSS. + Each image is the image name consisting of the registry address, repository, image, and tag. + Empty list matches no containers, PSS checks are applied at the pod level only. + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -3502,19 +3269,18 @@ spec: type: object type: array level: - description: Level defines the Pod Security Standard - level to be applied to workloads. Allowed values are - privileged, baseline, and restricted. + description: |- + Level defines the Pod Security Standard level to be applied to workloads. + Allowed values are privileged, baseline, and restricted. enum: - privileged - baseline - restricted type: string version: - description: Version defines the Pod Security Standard - versions that Kubernetes supports. Allowed values - are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, - v1.26, latest. Defaults to latest. + description: |- + Version defines the Pod Security Standard versions that Kubernetes supports. + Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, latest. Defaults to latest. enum: - v1.19 - v1.20 @@ -3532,10 +3298,10 @@ spec: description: VerifyImages is used to verify image signatures and mutate them to add a digest items: - description: ImageVerification validates that images that - match the specified pattern are signed with the supplied - public key. Once the image is verified it is mutated to - include the SHA digest retrieved during the registration. + description: |- + ImageVerification validates that images that match the specified pattern + are signed with the supplied public key. Once the image is verified it is + mutated to include the SHA digest retrieved during the registration. properties: additionalExtensions: additionalProperties: @@ -3549,16 +3315,15 @@ spec: instead. type: object attestations: - description: Attestations are optional checks for signed - in-toto Statements used to verify the image. See https://github.com/in-toto/attestation. - Kyverno fetches signed attestations from the OCI registry - and decodes them into a list of Statement declarations. + description: |- + Attestations are optional checks for signed in-toto Statements used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statement declarations. items: - description: Attestation are checks for signed in-toto - Statements that are used to verify the image. See - https://github.com/in-toto/attestation. Kyverno fetches - signed attestations from the OCI registry and decodes - them into a list of Statements. + description: |- + Attestation are checks for signed in-toto Statements that are used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statements. properties: attestors: description: Attestors specify the required attestors @@ -3566,31 +3331,25 @@ spec: items: properties: count: - description: Count specifies the required - number of entries that must match. If the - count is null, all entries must match (a - logical AND). If the count is 1, at least - one entry must match (a logical OR). If - the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or - a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set @@ -3611,21 +3370,14 @@ spec: used to verify. type: string ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -3633,36 +3385,25 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -3673,9 +3414,9 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless - attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: additionalProperties: @@ -3685,21 +3426,14 @@ spec: for keyless signing. type: object ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -3707,15 +3441,10 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -3723,24 +3452,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -3750,10 +3473,9 @@ spec: type: string type: object roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, - the system roots are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -3766,21 +3488,14 @@ spec: public keys. properties: ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -3788,63 +3503,41 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI - to the public key stored in a - Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable - reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -3880,37 +3573,30 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository - will override other OCI image repository - locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array type: object type: array conditions: - description: Conditions are used to verify attributes - within a Predicate. If no Conditions are specified - the attestation check is satisfied as long there - are predicates that match the predicate type. + description: |- + Conditions are used to verify attributes within a Predicate. If no Conditions are specified + the attestation check is satisfied as long there are predicates that match the predicate type. items: - description: AnyAllConditions consists of conditions - wrapped denoting a logical criteria to be fulfilled. - AnyConditions get fulfilled when at least one - of its sub-conditions passes. AllConditions - get fulfilled only when all of its sub-conditions - pass. + description: |- + AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled. + AnyConditions get fulfilled when at least one of its sub-conditions passes. + AllConditions get fulfilled only when all of its sub-conditions pass. properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -3925,14 +3611,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -3952,20 +3635,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -3980,14 +3661,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -4007,10 +3685,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -4032,29 +3709,25 @@ spec: items: properties: count: - description: Count specifies the required number - of entries that must match. If the count is null, - all entries must match (a logical AND). If the - count is 1, at least one entry must match (a logical - OR). If the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available attestors. - An attestor can be a static key, attributes for - keyless verification, or a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for image - verification. Every specified key-value - pair must exist and match in the verified - payload. The payload may contain other key-value - pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set of Attestor @@ -4075,19 +3748,14 @@ spec: to verify. type: string ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for validation - of Signed Certificate Timestamps (SCTs). - If the value is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate Timestamp - (SCT) log to check for a certificate - timestamp. Default is false. Set - to true if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is used @@ -4095,33 +3763,25 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate chain - file for the RFC3161 timestamp authority. - Must contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use for - a custom Rekor. If set, this will - be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address of @@ -4131,8 +3791,8 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: @@ -4143,19 +3803,14 @@ spec: signing. type: object ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for validation - of Signed Certificate Timestamps (SCTs). - If the value is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate Timestamp - (SCT) log to check for a certificate - timestamp. Default is false. Set - to true if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is used @@ -4163,14 +3818,10 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate chain - file for the RFC3161 timestamp authority. - Must contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -4178,22 +3829,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use for - a custom Rekor. If set, this will - be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address of @@ -4202,10 +3849,9 @@ spec: type: string type: object roots: - description: Roots is an optional set - of PEM encoded trusted root certificates. - If not provided, the system roots are - used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified identity @@ -4218,19 +3864,14 @@ spec: keys. properties: ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for validation - of Signed Certificate Timestamps (SCTs). - If the value is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate Timestamp - (SCT) log to check for a certificate - timestamp. Default is false. Set - to true if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is used @@ -4238,56 +3879,41 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate chain - file for the RFC3161 timestamp authority. - Must contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI to - the public key stored in a Key Management - System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 public - keys used to verify image signatures. - The keys can be directly specified or - can be a variable reference to a key - specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes Secret - elsewhere in the cluster by specifying - it in the format "k8s:///". - The named Secret must specify a key - `cosign.pub` containing the public key - used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each - key is processed as a separate staticKey - entry (.attestors[*].entries.keys) within - the set of attestors and the count is - applied across the keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use for - a custom Rekor. If set, this will - be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address of @@ -4320,11 +3946,9 @@ spec: type: string type: object repository: - description: Repository is an optional alternate - OCI repository to use for signatures and - attestations that match this rule. If specified - Repository will override other OCI image - repository locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -4334,13 +3958,11 @@ spec: description: Deprecated. Use ImageReferences instead. type: string imageReferences: - description: 'ImageReferences is a list of matching image - reference patterns. At least one pattern in the list - must match the image for the rule to apply. Each image - reference consists of a registry address (defaults to - docker.io), repository, image, and tag (defaults to - latest). Wildcards (''*'' and ''?'') are allowed. See: - https://kubernetes.io/docs/concepts/containers/images.' + description: |- + ImageReferences is a list of matching image reference patterns. At least one pattern in the + list must match the image for the rule to apply. Each image reference consists of a registry + address (defaults to docker.io), repository, image, and tag (defaults to latest). + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -4353,9 +3975,9 @@ spec: access to a registry. type: boolean providers: - description: 'Providers specifies a list of OCI Registry - names, whose authentication providers are provided. - It can be of one of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers required. @@ -4368,9 +3990,9 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets that - are provided for credentials. Secrets must live - in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array @@ -4383,16 +4005,15 @@ spec: type: string mutateDigest: default: true - description: MutateDigest enables replacement of image - tags with digests. Defaults to true. + description: |- + MutateDigest enables replacement of image tags with digests. + Defaults to true. type: boolean repository: - description: Repository is an optional alternate OCI repository - to use for image signatures and attestations that match - this rule. If specified Repository will override the - default OCI image repository configured for the installation. - The repository can also be overridden per Attestor or - Attestation. + description: |- + Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule. + If specified Repository will override the default OCI image repository configured for the installation. + The repository can also be overridden per Attestor or Attestation. type: string required: default: true @@ -4407,9 +4028,9 @@ spec: description: Deprecated. Use KeylessAttestor instead. type: string type: - description: Type specifies the method of signature validation. - The allowed options are Cosign and Notary. By default - Cosign is used if a type is not specified. + description: |- + Type specifies the method of signature validation. The allowed options + are Cosign and Notary. By default Cosign is used if a type is not specified. enum: - Cosign - Notary @@ -4431,23 +4052,23 @@ spec: type: object type: array schemaValidation: - description: SchemaValidation skips validation checks for policies - as well as patched resources. Optional. The default value is set - to "true", it must be set to "false" to disable the validation checks. + description: |- + SchemaValidation skips validation checks for policies as well as patched resources. + Optional. The default value is set to "true", it must be set to "false" to disable the validation checks. type: boolean useServerSideApply: - description: UseServerSideApply controls whether to use server-side - apply for generate rules If is set to "true" create & update for - generate rules will use apply instead of create/update. Defaults - to "false" if not specified. + description: |- + UseServerSideApply controls whether to use server-side apply for generate rules + If is set to "true" create & update for generate rules will use apply instead of create/update. + Defaults to "false" if not specified. type: boolean validationFailureAction: default: Audit - description: ValidationFailureAction defines if a validation policy - rule violation should block the admission review request (enforce), - or allow (audit) the admission review request and report an error - in a policy report. Optional. Allowed values are audit or enforce. - The default value is "Audit". + description: |- + ValidationFailureAction defines if a validation policy rule violation should block + the admission review request (enforce), or allow (audit) the admission review request + and report an error in a policy report. Optional. + Allowed values are audit or enforce. The default value is "Audit". enum: - audit - enforce @@ -4455,9 +4076,9 @@ spec: - Enforce type: string validationFailureActionOverrides: - description: ValidationFailureActionOverrides is a Cluster Policy - attribute that specifies ValidationFailureAction namespace-wise. - It overrides ValidationFailureAction for the specified namespaces. + description: |- + ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction + namespace-wise. It overrides ValidationFailureAction for the specified namespaces. items: properties: action: @@ -4470,34 +4091,34 @@ spec: - Enforce type: string namespaceSelector: - description: A label selector is a label query over a set of - resources. The result of matchLabels and matchExpressions - are ANDed. An empty label selector matches all objects. A - null label selector matches no objects. + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. - If the operator is In or NotIn, the values array - must be non-empty. If the operator is Exists or - DoesNotExist, the values array must be empty. This - array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -4509,11 +4130,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -4524,11 +4144,10 @@ spec: type: object type: array webhookTimeoutSeconds: - description: WebhookTimeoutSeconds specifies the maximum time in seconds - allowed to apply this policy. After the configured time expires, - the admission request may fail, or may simply ignore the policy - results, based on the failure policy. The default timeout is 10s, - the value must be between 1 and 30 seconds. + description: |- + WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. + After the configured time expires, the admission request may fail, or may simply ignore the policy results, + based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds. format: int32 type: integer type: object @@ -4542,51 +4161,49 @@ spec: description: Rules is a list of Rule instances. It contains auto generated rules added for pod controllers items: - description: Rule defines a validation, mutation, or generation - control for matching resources. Each rules contains a match - declaration to select resources, and an optional exclude declaration - to specify which resources to exclude. + description: |- + Rule defines a validation, mutation, or generation control for matching resources. + Each rules contains a match declaration to select resources, and an optional exclude + declaration to specify which resources to exclude. properties: celPreconditions: - description: CELPreconditions are used to determine if a - policy rule should be applied by evaluating a set of CEL - conditions. It can only be used with the validate.cel - subrule + description: |- + CELPreconditions are used to determine if a policy rule should be applied by evaluating a + set of CEL conditions. It can only be used with the validate.cel subrule items: description: MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook. properties: expression: - description: "Expression represents the expression - which will be evaluated by CEL. Must evaluate to - bool. CEL expressions have access to the contents - of the AdmissionRequest and Authorizer, organized - into CEL variables: \n 'object' - The object from - the incoming request. The value is null for DELETE - requests. 'oldObject' - The existing object. The - value is null for CREATE requests. 'request' - Attributes - of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). - 'authorizer' - A CEL Authorizer. May be used to - perform authorization checks for the principal (user - or service account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - 'authorizer.requestResource' - A CEL ResourceCheck - constructed from the 'authorizer' and configured - with the request resource. Documentation on CEL: - https://kubernetes.io/docs/reference/using-api/cel/ - \n Required." + description: |- + Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. + CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: + + + 'object' - The object from the incoming request. The value is null for DELETE requests. + 'oldObject' - The existing object. The value is null for CREATE requests. + 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. + See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the + request resource. + Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ + + + Required. type: string name: - description: "Name is an identifier for this match - condition, used for strategic merging of MatchConditions, - as well as providing an identifier for logging purposes. - A good name should be descriptive of the associated - expression. Name must be a qualified name consisting - of alphanumeric characters, '-', '_' or '.', and - must start and end with an alphanumeric character - (e.g. 'MyName', or 'my.name', or '123-abc', regex - used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') - with an optional DNS subdomain prefix and '/' (e.g. - 'example.com/MyName') \n Required." + description: |- + Name is an identifier for this match condition, used for strategic merging of MatchConditions, + as well as providing an identifier for logging purposes. A good name should be descriptive of + the associated expression. + Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and + must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or + '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an + optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') + + + Required. type: string required: - expression @@ -4597,15 +4214,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data sources - to a rule Context. Either a ConfigMap reference or a - APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the Kubernetes - API server, or other JSON web service. The data - returned is stored in the context with the name - for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data sent @@ -4627,13 +4243,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON Match - Expression that can be used to transform the - JSON response returned from the server. For - example a JMESPath of "items | length(@)" applied - to the API server response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across - all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -4648,23 +4263,24 @@ spec: web service properties: caBundle: - description: CABundle is a PEM encoded CA - bundle which will be used to validate the - server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web service URL. - A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to be used - in the HTTP GET or POST request to the Kubernetes - API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used - by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -4681,8 +4297,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests to an - OCI/Docker V2 registry to fetch image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials provides @@ -4694,10 +4311,9 @@ spec: insecure access to a registry. type: boolean providers: - description: 'Providers specifies a list of - OCI Registry names, whose authentication - providers are provided. It can be of one - of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers @@ -4711,23 +4327,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets - that are provided for credentials. Secrets - must live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON Match - Expression that can be used to transform the - ImageData struct returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference to - a container image in the registry. Example: - ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -4740,14 +4356,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take if the - JMESPath expression evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform the - variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON object @@ -4757,11 +4373,10 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when this policy rule - should not be applied. The exclude criteria can include - resource information (e.g. kind, name, namespace, labels) - and admission review request information like the name - or role. + description: |- + ExcludeResources defines when this policy rule should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. properties: all: description: All allows specifying resources which will @@ -4783,10 +4398,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -4795,60 +4409,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -4861,20 +4464,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -4895,44 +4495,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -4945,12 +4536,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -4965,36 +4554,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -5024,10 +4605,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -5036,60 +4616,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -5102,20 +4671,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -5136,44 +4702,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -5186,12 +4743,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -5206,36 +4761,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -5252,21 +4799,19 @@ spec: type: string type: array resources: - description: ResourceDescription contains information - about the resource being created or modified. Requires - at least one tag to be specified when under MatchResources. - Specifying ResourceDescription directly under match - is being deprecated. Please specify under "any" or - "all" instead. + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" - (matches zero or many characters) and "?" (matches - at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -5274,57 +4819,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated in - favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key and - value but does not match an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -5337,20 +4874,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -5370,42 +4904,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) - and `?` (matches one character). Wildcards allows - writing label selectors like ["storage.k8s.io/*": - "*"]. Note that using ["*" : "*"] matches any - key and value but does not match an empty label - set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -5418,12 +4945,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -5438,32 +4963,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or - a value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the - referenced subject. Defaults to "" for ServiceAccount - subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the - Authorizer should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -5479,11 +5000,10 @@ spec: description: APIVersion specifies resource apiVersion. type: string clone: - description: Clone specifies the source resource used - to populate each generated resource. At most one of - Data or Clone can be specified. If neither are provided, - the generated resource will be created with default - data only. + description: |- + Clone specifies the source resource used to populate each generated resource. + At most one of Data or Clone can be specified. If neither are provided, the generated + resource will be created with default data only. properties: name: description: Name specifies name of the resource. @@ -5507,37 +5027,33 @@ spec: namespace. type: string selector: - description: Selector is a label selector. Label - keys and values in `matchLabels`. wildcard characters - are not supported. + description: |- + Selector is a label selector. Label keys and values in `matchLabels`. + wildcard characters are not supported. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -5550,22 +5066,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object data: - description: Data provides the resource declaration - used to populate each generated resource. At most - one of Data or Clone must be specified. If neither - are provided, the generated resource will be created - with default data only. + description: |- + Data provides the resource declaration used to populate each generated resource. + At most one of Data or Clone must be specified. If neither are provided, the generated + resource will be created with default data only. x-kubernetes-preserve-unknown-fields: true kind: description: Kind specifies resource kind. @@ -5577,11 +5090,10 @@ spec: description: Namespace specifies resource namespace. type: string synchronize: - description: Synchronize controls if generated resources - should be kept in-sync with their source resource. - If Synchronize is set to "true" changes to generated - resources will be overwritten with resource data from - Data or the resource specified in the Clone declaration. + description: |- + Synchronize controls if generated resources should be kept in-sync with their source resource. + If Synchronize is set to "true" changes to generated resources will be overwritten with resource + data from Data or the resource specified in the Clone declaration. Optional. Defaults to "false" if not specified. type: boolean uid: @@ -5593,50 +5105,46 @@ spec: items: properties: jmesPath: - description: 'JMESPath is an optional JMESPath expression - to apply to the image value. This is useful when - the extracted image begins with a prefix like - ''docker://''. The ''trim_prefix'' function may - be used to trim the prefix: trim_prefix(@, ''docker://''). - Note - Image digest mutation may not be used when - applying a JMESPAth to an image.' + description: |- + JMESPath is an optional JMESPath expression to apply to the image value. + This is useful when the extracted image begins with a prefix like 'docker://'. + The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://'). + Note - Image digest mutation may not be used when applying a JMESPAth to an image. type: string key: - description: Key is an optional name of the field - within 'path' that will be used to uniquely identify - an image. Note - this field MUST be unique. + description: |- + Key is an optional name of the field within 'path' that will be used to uniquely identify an image. + Note - this field MUST be unique. type: string name: - description: Name is the entry the image will be - available under 'images.' in the context. - If this field is not defined, image entries will - appear under 'images.custom'. + description: |- + Name is the entry the image will be available under 'images.' in the context. + If this field is not defined, image entries will appear under 'images.custom'. type: string path: - description: Path is the path to the object containing - the image field in a custom resource. It should - be slash-separated. Each slash-separated key must - be a valid YAML key or a wildcard '*'. Wildcard - keys are expanded in case of arrays or objects. + description: |- + Path is the path to the object containing the image field in a custom resource. + It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'. + Wildcard keys are expanded in case of arrays or objects. type: string value: - description: Value is an optional name of the field - within 'path' that points to the image URI. This - is useful when a custom 'key' is also defined. + description: |- + Value is an optional name of the field within 'path' that points to the image URI. + This is useful when a custom 'key' is also defined. type: string required: - path type: object type: array - description: ImageExtractors defines a mapping from kinds - to ImageExtractorConfigs. This config is only valid for - verifyImages rules. + description: |- + ImageExtractors defines a mapping from kinds to ImageExtractorConfigs. + This config is only valid for verifyImages rules. type: object match: - description: MatchResources defines when this policy rule - should be applied. The match criteria can include resource - information (e.g. kind, name, namespace, labels) and admission - review request information like the user name or role. + description: |- + MatchResources defines when this policy rule should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. At least one kind is required. properties: all: @@ -5659,10 +5167,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -5671,60 +5178,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -5737,20 +5233,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -5771,44 +5264,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -5821,12 +5305,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -5841,36 +5323,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -5900,10 +5374,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -5912,60 +5385,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -5978,20 +5440,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -6012,44 +5471,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -6062,12 +5512,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -6082,36 +5530,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -6128,21 +5568,19 @@ spec: type: string type: array resources: - description: ResourceDescription contains information - about the resource being created or modified. Requires - at least one tag to be specified when under MatchResources. - Specifying ResourceDescription directly under match - is being deprecated. Please specify under "any" or - "all" instead. + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" - (matches zero or many characters) and "?" (matches - at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -6150,57 +5588,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated in - favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key and - value but does not match an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -6213,20 +5643,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -6246,42 +5673,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) - and `?` (matches one character). Wildcards allows - writing label selectors like ["storage.k8s.io/*": - "*"]. Note that using ["*" : "*"] matches any - key and value but does not match an empty label - set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -6294,12 +5714,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -6314,32 +5732,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or - a value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the - referenced subject. Defaults to "" for ServiceAccount - subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the - Authorizer should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -6366,16 +5780,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST @@ -6398,15 +5810,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -6421,25 +5830,23 @@ spec: to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web - service URL. A typical form is + description: |- + URL is the JSON web service URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string @@ -6459,9 +5866,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials @@ -6473,11 +5880,9 @@ spec: allows insecure access to a registry. type: boolean providers: - description: 'Providers specifies - a list of OCI Registry names, - whose authentication providers - are provided. It can be of one - of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -6491,25 +5896,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a - list of secrets that are provided - for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -6523,15 +5926,14 @@ spec: defined inline. properties: default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary @@ -6546,43 +5948,41 @@ spec: iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which - the validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string order: - description: Order defines the iteration order - on the list. Can be Ascending to iterate from - first to last element or Descending to iterate - in from last to first element. + description: |- + Order defines the iteration order on the list. + Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element. enum: - Ascending - Descending type: string patchStrategicMerge: - description: PatchStrategicMerge is a strategic - merge patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC - 6902 JSON Patch declarations used to modify - resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -6597,14 +5997,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -6624,20 +6021,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -6652,14 +6047,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -6679,10 +6071,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -6691,14 +6082,15 @@ spec: type: object type: array patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge - patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON - Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string targets: description: Targets defines the target resources to @@ -6714,16 +6106,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST @@ -6746,15 +6136,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -6769,25 +6156,23 @@ spec: to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web - service URL. A typical form is + description: |- + URL is the JSON web service URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string @@ -6807,9 +6192,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials @@ -6821,11 +6206,9 @@ spec: allows insecure access to a registry. type: boolean providers: - description: 'Providers specifies - a list of OCI Registry names, - whose authentication providers - are provided. It can be of one - of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -6839,25 +6222,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a - list of secrets that are provided - for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -6871,15 +6252,14 @@ spec: defined inline. properties: default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary @@ -6899,14 +6279,12 @@ spec: description: Namespace specifies resource namespace. type: string preconditions: - description: 'Preconditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. A direct list - of conditions (without `any` or `all` statements - is supported for backwards compatibility but + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/preconditions/' + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true uid: description: UID specifies the resource uid. @@ -6920,27 +6298,32 @@ spec: maxLength: 63 type: string preconditions: - description: 'Preconditions are used to determine if a policy - rule should be applied by evaluating a set of conditions. - The declaration can contain nested `any` or `all` statements. - A direct list of conditions (without `any` or `all` statements - is supported for backwards compatibility but will be deprecated - in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true skipBackgroundRequests: default: true - description: SkipBackgroundRequests bypasses admission requests - that are sent by the background controller. The default - value is set to "true", it must be set to "false" to apply + description: |- + SkipBackgroundRequests bypasses admission requests that are sent by the background controller. + The default value is set to "true", it must be set to "false" to apply generate and mutateExisting rules to those requests. type: boolean validate: description: Validation is used to validate matching resources. properties: + allowExistingViolations: + default: true + description: AllowExistingViolations allows prexisting + violating resources to continue violating a policy. + type: boolean anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must be satisfied - for the validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true cel: description: CEL allows validation checks using the @@ -6955,41 +6338,45 @@ spec: produce an audit annotation for an API request. properties: key: - description: "key specifies the audit annotation - key. The audit annotation keys of a ValidatingAdmissionPolicy - must be unique. The key must be a qualified - name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more - than 63 bytes in length. \n The key is combined - with the resource name of the ValidatingAdmissionPolicy - to construct an audit annotation key: \"{ValidatingAdmissionPolicy - name}/{key}\". \n If an admission webhook - uses the same resource name as this ValidatingAdmissionPolicy - and the same audit annotation key, the annotation - key will be identical. In this case, the - first annotation written with the key will - be included in the audit event and all subsequent - annotations with the same key will be discarded. - \n Required." + description: |- + key specifies the audit annotation key. The audit annotation keys of + a ValidatingAdmissionPolicy must be unique. The key must be a qualified + name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length. + + + The key is combined with the resource name of the + ValidatingAdmissionPolicy to construct an audit annotation key: + "{ValidatingAdmissionPolicy name}/{key}". + + + If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy + and the same audit annotation key, the annotation key will be identical. + In this case, the first annotation written with the key will be included + in the audit event and all subsequent annotations with the same key + will be discarded. + + + Required. type: string valueExpression: - description: "valueExpression represents the - expression which is evaluated by CEL to - produce an audit annotation value. The expression - must evaluate to either a string or null - value. If the expression evaluates to a - string, the audit annotation is included - with the string value. If the expression - evaluates to null or empty string the audit - annotation will be omitted. The valueExpression - may be no longer than 5kb in length. If - the result of the valueExpression is more - than 10kb in length, it will be truncated - to 10kb. \n If multiple ValidatingAdmissionPolicyBinding - resources match an API request, then the - valueExpression will be evaluated for each - binding. All unique values produced by the - valueExpressions will be joined together - in a comma-separated list. \n Required." + description: |- + valueExpression represents the expression which is evaluated by CEL to + produce an audit annotation value. The expression must evaluate to either + a string or null value. If the expression evaluates to a string, the + audit annotation is included with the string value. If the expression + evaluates to null or empty string the audit annotation will be omitted. + The valueExpression may be no longer than 5kb in length. + If the result of the valueExpression is more than 10kb in length, it + will be truncated to 10kb. + + + If multiple ValidatingAdmissionPolicyBinding resources match an + API request, then the valueExpression will be evaluated for + each binding. All unique values produced by the valueExpressions + will be joined together in a comma-separated list. + + + Required. type: string required: - key @@ -7005,124 +6392,104 @@ spec: properties: expression: description: "Expression represents the expression - which will be evaluated by CEL. ref: https://github.com/google/cel-spec - CEL expressions have access to the contents + which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL + expressions have access to the contents of the API request/response, organized into CEL variables as well as some other useful - variables: \n - 'object' - The object from - the incoming request. The value is null - for DELETE requests. - 'oldObject' - The - existing object. The value is null for CREATE - requests. - 'request' - Attributes of the - API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - - 'params' - Parameter resource referred - to by the policy binding being evaluated. - Only populated if the policy has a ParamKind. - - 'namespaceObject' - The namespace object + variables:\n\n\n- 'object' - The object + from the incoming request. The value is + null for DELETE requests.\n- 'oldObject' + - The existing object. The value is null + for CREATE requests.\n- 'request' - Attributes + of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- + 'params' - Parameter resource referred to + by the policy binding being evaluated. Only + populated if the policy has a ParamKind.\n- + 'namespaceObject' - The namespace object that the incoming object belongs to. The - value is null for cluster-scoped resources. - - 'variables' - Map of composited variables, - from its name to its lazily evaluated value. - For example, a variable named 'foo' can - be accessed as 'variables.foo'. - 'authorizer' + value is null for cluster-scoped resources.\n- + 'variables' - Map of composited variables, + from its name to its lazily evaluated value.\n + \ For example, a variable named 'foo' can + be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user - or service account) of the request. See - https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - - 'authorizer.requestResource' - A CEL ResourceCheck + or service account) of the request.\n See + https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured - with the request resource. \n The `apiVersion`, + with the\n request resource.\n\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` - are always accessible from the root of the - object. No other metadata properties are - accessible. \n Only property names of the - form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are - accessible. Accessible property names are - escaped according to the following rules - when accessed in the expression: - '__' - escapes to '__underscores__' - '.' escapes - to '__dot__' - '-' escapes to '__dash__' - - '/' escapes to '__slash__' - Property - names that exactly match a CEL RESERVED - keyword escape to '__{keyword}__'. The keywords - are: \"true\", \"false\", \"null\", \"in\", - \"as\", \"break\", \"const\", \"continue\", - \"else\", \"for\", \"function\", \"if\", - \"import\", \"let\", \"loop\", \"package\", - \"namespace\", \"return\". Examples: - Expression - accessing a property named \"namespace\": - {\"Expression\": \"object.__namespace__ - > 0\"} - Expression accessing a property + are always accessible from the root of the\nobject. + No other metadata properties are accessible.\n\n\nOnly + property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` + are accessible.\nAccessible property names + are escaped according to the following rules + when accessed in the expression:\n- '__' + escapes to '__underscores__'\n- '.' escapes + to '__dot__'\n- '-' escapes to '__dash__'\n- + '/' escapes to '__slash__'\n- Property names + that exactly match a CEL RESERVED keyword + escape to '__{keyword}__'. The keywords + are:\n\t \"true\", \"false\", \"null\", + \"in\", \"as\", \"break\", \"const\", \"continue\", + \"else\", \"for\", \"function\", \"if\",\n\t + \ \"import\", \"let\", \"loop\", \"package\", + \"namespace\", \"return\".\nExamples:\n + \ - Expression accessing a property named + \"namespace\": {\"Expression\": \"object.__namespace__ + > 0\"}\n - Expression accessing a property named \"x-prop\": {\"Expression\": \"object.x__dash__prop - > 0\"} - Expression accessing a property + > 0\"}\n - Expression accessing a property named \"redact__d\": {\"Expression\": \"object.redact__underscores__d - > 0\"} \n Equality on arrays with list type - of 'set' or 'map' ignores element order, - i.e. [1, 2] == [2, 1]. Concatenation on + > 0\"}\n\n\nEquality on arrays with list + type of 'set' or 'map' ignores element order, + i.e. [1, 2] == [2, 1].\nConcatenation on arrays with x-kubernetes-list-type use the - semantics of the list type: - 'set': `X - + Y` performs a union where the array positions - of all elements in `X` are preserved and - non-intersecting elements in `Y` are appended, - retaining their partial order. - 'map': - `X + Y` performs a merge where the array - positions of all keys in `X` are preserved - but the values are overwritten by values - in `Y` when the key sets of `X` and `Y` - intersect. Elements in `Y` with non-intersecting - keys are appended, retaining their partial - order. Required." + semantics of the list type:\n - 'set': + `X + Y` performs a union where the array + positions of all elements in `X` are preserved + and\n non-intersecting elements in `Y` + are appended, retaining their partial order.\n + \ - 'map': `X + Y` performs a merge where + the array positions of all keys in `X` are + preserved but the values\n are overwritten + by values in `Y` when the key sets of `X` + and `Y` intersect. Elements in `Y` with\n + \ non-intersecting keys are appended, + retaining their partial order.\nRequired." type: string message: - description: 'Message represents the message - displayed when validation fails. The message - is required if the Expression contains line - breaks. The message must not contain line - breaks. If unset, the message is "failed - rule: {Rule}". e.g. "must be a URL with - the host matching spec.host" If the Expression - contains line breaks. Message is required. + description: |- + Message represents the message displayed when validation fails. The message is required if the Expression contains + line breaks. The message must not contain line breaks. + If unset, the message is "failed rule: {Rule}". + e.g. "must be a URL with the host matching spec.host" + If the Expression contains line breaks. Message is required. The message must not contain line breaks. - If unset, the message is "failed Expression: - {Expression}".' + If unset, the message is "failed Expression: {Expression}". type: string messageExpression: - description: 'messageExpression declares a - CEL expression that evaluates to the validation - failure message that is returned when this - rule fails. Since messageExpression is used - as a failure message, it must evaluate to - a string. If both message and messageExpression - are present on a validation, then messageExpression - will be used if validation fails. If messageExpression - results in a runtime error, the runtime - error is logged, and the validation failure - message is produced as if the messageExpression - field were unset. If messageExpression evaluates - to an empty string, a string with only spaces, - or a string that contains line breaks, then - the validation failure message will also - be produced as if the messageExpression - field were unset, and the fact that messageExpression - produced an empty string/string with only - spaces/string with line breaks will be logged. - messageExpression has access to all the - same variables as the `expression` except - for ''authorizer'' and ''authorizer.requestResource''. - Example: "object.x must be less than max - ("+string(params.max)+")"' + description: |- + messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. + Since messageExpression is used as a failure message, it must evaluate to a string. + If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. + If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced + as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string + that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and + the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. + messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'. + Example: + "object.x must be less than max ("+string(params.max)+")" type: string reason: - description: 'Reason represents a machine-readable - description of why this validation failed. - If this is the first validation in the list - to fail, this reason, as well as the corresponding - HTTP response code, are used in the HTTP - response to the client. The currently supported - reasons are: "Unauthorized", "Forbidden", - "Invalid", "RequestEntityTooLarge". If not - set, StatusReasonInvalid is used in the - response to the client.' + description: |- + Reason represents a machine-readable description of why this validation failed. + If this is the first validation in the list to fail, this reason, as well as the + corresponding HTTP response code, are used in the + HTTP response to the client. + The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge". + If not set, StatusReasonInvalid is used in the response to the client. type: string required: - expression @@ -7133,13 +6500,15 @@ spec: and Version. properties: apiVersion: - description: APIVersion is the API group version - the resources belong to. In format of "group/version". + description: |- + APIVersion is the API group version the resources belong to. + In format of "group/version". Required. type: string kind: - description: Kind is the API kind the resources - belong to. Required. + description: |- + Kind is the API kind the resources belong to. + Required. type: string type: object x-kubernetes-map-type: atomic @@ -7147,82 +6516,83 @@ spec: description: ParamRef references a parameter resource. properties: name: - description: "`name` is the name of the resource - being referenced. \n `name` and `selector` - are mutually exclusive properties. If one - is set, the other must be unset." + description: |- + `name` is the name of the resource being referenced. + + + `name` and `selector` are mutually exclusive properties. If one is set, + the other must be unset. type: string namespace: - description: "namespace is the namespace of - the referenced resource. Allows limiting the - search for params to a specific namespace. - Applies to both `name` and `selector` fields. - \n A per-namespace parameter may be used by - specifying a namespace-scoped `paramKind` - in the policy and leaving this field empty. - \n - If `paramKind` is cluster-scoped, this - field MUST be unset. Setting this field results - in a configuration error. \n - If `paramKind` - is namespace-scoped, the namespace of the - object being evaluated for admission will - be used when this field is left unset. Take - care that if this is left empty the binding - must not match any cluster-scoped resources, - which will result in an error." + description: |- + namespace is the namespace of the referenced resource. Allows limiting + the search for params to a specific namespace. Applies to both `name` and + `selector` fields. + + + A per-namespace parameter may be used by specifying a namespace-scoped + `paramKind` in the policy and leaving this field empty. + + + - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this + field results in a configuration error. + + + - If `paramKind` is namespace-scoped, the namespace of the object being + evaluated for admission will be used when this field is left unset. Take + care that if this is left empty the binding must not match any cluster-scoped + resources, which will result in an error. type: string parameterNotFoundAction: - description: "`parameterNotFoundAction` controls - the behavior of the binding when the resource - exists, and name or selector is valid, but - there are no parameters matched by the binding. - If the value is set to `Allow`, then no matched - parameters will be treated as successful validation - by the binding. If set to `Deny`, then no - matched parameters will be subject to the - `failurePolicy` of the policy. \n Allowed - values are `Allow` or `Deny` Default to `Deny`" + description: |- + `parameterNotFoundAction` controls the behavior of the binding when the resource + exists, and name or selector is valid, but there are no parameters + matched by the binding. If the value is set to `Allow`, then no + matched parameters will be treated as successful validation by the binding. + If set to `Deny`, then no matched parameters will be subject to the + `failurePolicy` of the policy. + + + Allowed values are `Allow` or `Deny` + Default to `Deny` type: string selector: - description: "selector can be used to match - multiple param objects based on their labels. - Supply selector: {} to match all resources - of the ParamKind. \n If multiple params are - found, they are all evaluated with the policy - expressions and the results are ANDed together. - \n One of `name` or `selector` must be set, - but `name` and `selector` are mutually exclusive - properties. If one is set, the other must - be unset." + description: |- + selector can be used to match multiple param objects based on their labels. + Supply selector: {} to match all resources of the ParamKind. + + + If multiple params are found, they are all evaluated with the policy expressions + and the results are ANDed together. + + + One of `name` or `selector` must be set, but `name` and `selector` are + mutually exclusive properties. If one is set, the other must be unset. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -7234,41 +6604,34 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object x-kubernetes-map-type: atomic variables: - description: Variables contain definitions of variables - that can be used in composition of other expressions. + description: |- + Variables contain definitions of variables that can be used in composition of other expressions. Each variable is defined as a named CEL expression. - The variables defined here will be available under - `variables` in other expressions of the policy. + The variables defined here will be available under `variables` in other expressions of the policy. items: description: Variable is the definition of a variable that is used for composition. properties: expression: - description: Expression is the expression - that will be evaluated as the value of the - variable. The CEL expression has access - to the same identifiers as the CEL expressions - in Validation. + description: |- + Expression is the expression that will be evaluated as the value of the variable. + The CEL expression has access to the same identifiers as the CEL expressions in Validation. type: string name: - description: Name is the name of the variable. - The name must be a valid CEL identifier - and unique among all variables. The variable - can be accessed in other expressions through - `variables` For example, if name is "foo", - the variable will be available as `variables.foo` + description: |- + Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables. + The variable can be accessed in other expressions through `variables` + For example, if name is "foo", the variable will be available as `variables.foo` type: string required: - expression @@ -7281,12 +6644,11 @@ spec: fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct list - of conditions (without `any` or `all` statements) - is also supported for backwards compatibility + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object foreach: @@ -7301,24 +6663,22 @@ spec: apply the specified logic. properties: anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must - be satisfied for the validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true context: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST @@ -7341,15 +6701,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -7364,25 +6721,23 @@ spec: to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web - service URL. A typical form is + description: |- + URL is the JSON web service URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string @@ -7402,9 +6757,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials @@ -7416,11 +6771,9 @@ spec: allows insecure access to a registry. type: boolean providers: - description: 'Providers specifies - a list of OCI Registry names, - whose authentication providers - are provided. It can be of one - of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -7434,25 +6787,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a - list of secrets that are provided - for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -7466,15 +6817,14 @@ spec: defined inline. properties: default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary @@ -7489,48 +6839,44 @@ spec: or fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct - list of conditions (without `any` or `all` - statements) is also supported for backwards - compatibility but will be deprecated in - the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object elementScope: - description: ElementScope specifies whether to - use the current list element as the scope for - validation. Defaults to "true" if not specified. - When set to "false", "request.object" is used - as the validation scope within the foreach block - to allow referencing other elements in the subtree. + description: |- + ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified. + When set to "false", "request.object" is used as the validation scope within the foreach + block to allow referencing other elements in the subtree. type: boolean foreach: description: Foreach declares a nested foreach iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which - the validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string pattern: description: Pattern specifies an overlay-style pattern used to check resources. x-kubernetes-preserve-unknown-fields: true preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -7545,14 +6891,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -7572,20 +6915,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -7600,14 +6941,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -7627,10 +6965,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -7653,31 +6990,25 @@ spec: items: properties: count: - description: Count specifies the required - number of entries that must match. If the - count is null, all entries must match (a - logical AND). If the count is 1, at least - one entry must match (a logical OR). If - the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or - a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set @@ -7698,21 +7029,14 @@ spec: used to verify. type: string ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -7720,36 +7044,25 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -7760,9 +7073,9 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless - attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: additionalProperties: @@ -7772,21 +7085,14 @@ spec: for keyless signing. type: object ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -7794,15 +7100,10 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -7810,24 +7111,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -7837,10 +7132,9 @@ spec: type: string type: object roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, - the system roots are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -7853,21 +7147,14 @@ spec: public keys. properties: ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -7875,63 +7162,41 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI - to the public key stored in a - Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable - reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -7967,12 +7232,9 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository - will override other OCI image repository - locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -8013,10 +7275,9 @@ spec: type: object type: array repository: - description: Repository is an optional alternate - OCI repository to use for resource bundle reference. - The repository can be overridden per Attestor - or Attestation. + description: |- + Repository is an optional alternate OCI repository to use for resource bundle reference. + The repository can be overridden per Attestor or Attestation. type: string type: object message: @@ -8028,9 +7289,9 @@ spec: used to check resources. x-kubernetes-preserve-unknown-fields: true podSecurity: - description: PodSecurity applies exemptions for Kubernetes - Pod Security admission by specifying exclusions for - Pod Security Standards controls. + description: |- + PodSecurity applies exemptions for Kubernetes Pod Security admission + by specifying exclusions for Pod Security Standards controls. properties: exclude: description: Exclude specifies the Pod Security @@ -8040,9 +7301,9 @@ spec: Pod Security Standard controls to be excluded. properties: controlName: - description: 'ControlName specifies the name - of the Pod Security Standard control. See: - https://kubernetes.io/docs/concepts/security/pod-security-standards/' + description: |- + ControlName specifies the name of the Pod Security Standard control. + See: https://kubernetes.io/docs/concepts/security/pod-security-standards/ enum: - HostProcess - Host Namespaces @@ -8061,14 +7322,11 @@ spec: - Running as Non-root user type: string images: - description: 'Images selects matching containers - and applies the container level PSS. Each - image is the image name consisting of the - registry address, repository, image, and - tag. Empty list matches no containers, PSS - checks are applied at the pod level only. - Wildcards (''*'' and ''?'') are allowed. - See: https://kubernetes.io/docs/concepts/containers/images.' + description: |- + Images selects matching containers and applies the container level PSS. + Each image is the image name consisting of the registry address, repository, image, and tag. + Empty list matches no containers, PSS checks are applied at the pod level only. + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -8077,19 +7335,18 @@ spec: type: object type: array level: - description: Level defines the Pod Security Standard - level to be applied to workloads. Allowed values - are privileged, baseline, and restricted. + description: |- + Level defines the Pod Security Standard level to be applied to workloads. + Allowed values are privileged, baseline, and restricted. enum: - privileged - baseline - restricted type: string version: - description: Version defines the Pod Security Standard - versions that Kubernetes supports. Allowed values - are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, - v1.25, v1.26, latest. Defaults to latest. + description: |- + Version defines the Pod Security Standard versions that Kubernetes supports. + Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, latest. Defaults to latest. enum: - v1.19 - v1.20 @@ -8107,10 +7364,10 @@ spec: description: VerifyImages is used to verify image signatures and mutate them to add a digest items: - description: ImageVerification validates that images that - match the specified pattern are signed with the supplied - public key. Once the image is verified it is mutated - to include the SHA digest retrieved during the registration. + description: |- + ImageVerification validates that images that match the specified pattern + are signed with the supplied public key. Once the image is verified it is + mutated to include the SHA digest retrieved during the registration. properties: additionalExtensions: additionalProperties: @@ -8124,17 +7381,15 @@ spec: instead. type: object attestations: - description: Attestations are optional checks for - signed in-toto Statements used to verify the image. - See https://github.com/in-toto/attestation. Kyverno - fetches signed attestations from the OCI registry - and decodes them into a list of Statement declarations. + description: |- + Attestations are optional checks for signed in-toto Statements used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statement declarations. items: - description: Attestation are checks for signed in-toto - Statements that are used to verify the image. - See https://github.com/in-toto/attestation. Kyverno - fetches signed attestations from the OCI registry - and decodes them into a list of Statements. + description: |- + Attestation are checks for signed in-toto Statements that are used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statements. properties: attestors: description: Attestors specify the required @@ -8142,33 +7397,25 @@ spec: items: properties: count: - description: Count specifies the required - number of entries that must match. If - the count is null, all entries must - match (a logical AND). If the count - is 1, at least one entry must match - (a logical OR). If the count contains - a value N, then N must be less than - or equal to the size of entries, and - at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static - key, attributes for keyless verification, - or a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used - for image verification. Every - specified key-value pair must - exist and match in the verified - payload. The payload may contain - other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested @@ -8189,23 +7436,14 @@ spec: certificates used to verify. type: string ctlog: - description: CTLog (certificate - timestamp log) provides a - configuration for validation - of Signed Certificate Timestamps - (SCTs). If the value is unset, - the default behavior by Cosign - is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp - (SCT) log to check for - a certificate timestamp. - Default is false. Set - to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if @@ -8214,27 +7452,16 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, - if set, is the PEM-encoded - certificate chain file - for the RFC3161 timestamp - authority. Must contain - the root CA certificate. - Optionally may contain - intermediate CA certificates, - and may contain the leaf - TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If an empty object is provided - the public instance of Rekor - (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog @@ -8242,13 +7469,9 @@ spec: verification. type: boolean pubkey: - description: RekorPubKey - is an optional PEM-encoded - public key to use for - a custom Rekor. If set, - this will be used to validate - transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the @@ -8259,9 +7482,9 @@ spec: type: object type: object keyless: - description: Keyless is a set of - attribute used to verify a Sigstore - keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: additionalProperties: @@ -8271,23 +7494,14 @@ spec: used for keyless signing. type: object ctlog: - description: CTLog (certificate - timestamp log) provides a - configuration for validation - of Signed Certificate Timestamps - (SCTs). If the value is unset, - the default behavior by Cosign - is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp - (SCT) log to check for - a certificate timestamp. - Default is false. Set - to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if @@ -8296,17 +7510,10 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, - if set, is the PEM-encoded - certificate chain file - for the RFC3161 timestamp - authority. Must contain - the root CA certificate. - Optionally may contain - intermediate CA certificates, - and may contain the leaf - TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -8314,13 +7521,9 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If an empty object is provided - the public instance of Rekor - (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog @@ -8328,13 +7531,9 @@ spec: verification. type: boolean pubkey: - description: RekorPubKey - is an optional PEM-encoded - public key to use for - a custom Rekor. If set, - this will be used to validate - transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the @@ -8344,11 +7543,9 @@ spec: type: string type: object roots: - description: Roots is an optional - set of PEM encoded trusted - root certificates. If not - provided, the system roots - are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the @@ -8362,23 +7559,14 @@ spec: or more public keys. properties: ctlog: - description: CTLog (certificate - timestamp log) provides a - configuration for validation - of Signed Certificate Timestamps - (SCTs). If the value is unset, - the default behavior by Cosign - is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp - (SCT) log to check for - a certificate timestamp. - Default is false. Set - to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if @@ -8387,56 +7575,32 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, - if set, is the PEM-encoded - certificate chain file - for the RFC3161 timestamp - authority. Must contain - the root CA certificate. - Optionally may contain - intermediate CA certificates, - and may contain the leaf - TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the - URI to the public key stored - in a Key Management System. - See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of - X.509 public keys used to - verify image signatures. The - keys can be directly specified - or can be a variable reference - to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a - separate staticKey entry (.attestors[*].entries.keys) - within the set of attestors - and the count is applied across - the keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If an empty object is provided - the public instance of Rekor - (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog @@ -8444,13 +7608,9 @@ spec: verification. type: boolean pubkey: - description: RekorPubKey - is an optional PEM-encoded - public key to use for - a custom Rekor. If set, - this will be used to validate - transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the @@ -8487,40 +7647,30 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use - for signatures and attestations - that match this rule. If specified - Repository will override other - OCI image repository locations - for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array type: object type: array conditions: - description: Conditions are used to verify attributes - within a Predicate. If no Conditions are specified - the attestation check is satisfied as long - there are predicates that match the predicate - type. + description: |- + Conditions are used to verify attributes within a Predicate. If no Conditions are specified + the attestation check is satisfied as long there are predicates that match the predicate type. items: - description: AnyAllConditions consists of - conditions wrapped denoting a logical criteria - to be fulfilled. AnyConditions get fulfilled - when at least one of its sub-conditions - passes. AllConditions get fulfilled only - when all of its sub-conditions pass. + description: |- + AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled. + AnyConditions get fulfilled when at least one of its sub-conditions passes. + AllConditions get fulfilled only when all of its sub-conditions pass. properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is - useful for finer control of when an - rule is applied. A condition can reference - object data using JMESPath notation. - Here, all of the conditions need to - pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -8535,14 +7685,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -8562,21 +7709,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is - useful for finer control of when an - rule is applied. A condition can reference - object data using JMESPath notation. - Here, at least one of the conditions - need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -8591,14 +7735,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -8618,10 +7759,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -8643,31 +7783,25 @@ spec: items: properties: count: - description: Count specifies the required number - of entries that must match. If the count is - null, all entries must match (a logical AND). - If the count is 1, at least one entry must - match (a logical OR). If the count contains - a value N, then N must be less than or equal - to the size of entries, and at least N entries - must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or a - nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set @@ -8688,21 +7822,14 @@ spec: used to verify. type: string ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior by - Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed Certificate - Timestamp (SCT) log to check - for a certificate timestamp. - Default is false. Set to true - if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -8710,35 +7837,25 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the - root CA certificate. Optionally - may contain intermediate CA - certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an - optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used to - validate transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -8749,8 +7866,8 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: @@ -8761,21 +7878,14 @@ spec: for keyless signing. type: object ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior by - Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed Certificate - Timestamp (SCT) log to check - for a certificate timestamp. - Default is false. Set to true - if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -8783,15 +7893,10 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the - root CA certificate. Optionally - may contain intermediate CA - certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -8799,23 +7904,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an - optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used to - validate transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -8825,10 +7925,9 @@ spec: type: string type: object roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, the - system roots are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -8841,21 +7940,14 @@ spec: public keys. properties: ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior by - Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed Certificate - Timestamp (SCT) log to check - for a certificate timestamp. - Default is false. Set to true - if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -8863,61 +7955,41 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the - root CA certificate. Optionally - may contain intermediate CA - certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI - to the public key stored in a Key - Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable reference - to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format "k8s:///". - The named Secret must specify a - key `cosign.pub` containing the - public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an - optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used to - validate transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -8952,12 +8024,9 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository will - override other OCI image repository - locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -8967,13 +8036,11 @@ spec: description: Deprecated. Use ImageReferences instead. type: string imageReferences: - description: 'ImageReferences is a list of matching - image reference patterns. At least one pattern in - the list must match the image for the rule to apply. - Each image reference consists of a registry address - (defaults to docker.io), repository, image, and - tag (defaults to latest). Wildcards (''*'' and ''?'') - are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' + description: |- + ImageReferences is a list of matching image reference patterns. At least one pattern in the + list must match the image for the rule to apply. Each image reference consists of a registry + address (defaults to docker.io), repository, image, and tag (defaults to latest). + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -8986,10 +8053,9 @@ spec: access to a registry. type: boolean providers: - description: 'Providers specifies a list of OCI - Registry names, whose authentication providers - are provided. It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers @@ -9003,9 +8069,9 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets - that are provided for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array @@ -9018,16 +8084,15 @@ spec: type: string mutateDigest: default: true - description: MutateDigest enables replacement of image - tags with digests. Defaults to true. + description: |- + MutateDigest enables replacement of image tags with digests. + Defaults to true. type: boolean repository: - description: Repository is an optional alternate OCI - repository to use for image signatures and attestations - that match this rule. If specified Repository will - override the default OCI image repository configured - for the installation. The repository can also be - overridden per Attestor or Attestation. + description: |- + Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule. + If specified Repository will override the default OCI image repository configured for the installation. + The repository can also be overridden per Attestor or Attestation. type: string required: default: true @@ -9042,9 +8107,9 @@ spec: description: Deprecated. Use KeylessAttestor instead. type: string type: - description: Type specifies the method of signature - validation. The allowed options are Cosign and Notary. - By default Cosign is used if a type is not specified. + description: |- + Type specifies the method of signature validation. The allowed options + are Cosign and Notary. By default Cosign is used if a type is not specified. enum: - Cosign - Notary @@ -9069,42 +8134,42 @@ spec: conditions: items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -9118,11 +8183,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -9138,8 +8204,9 @@ spec: description: Deprecated in favor of Conditions type: boolean rulecount: - description: RuleCountStatus contains four variables which describes - counts for validate, generate, mutate and verify images rules + description: |- + RuleCountStatus contains four variables which describes counts for + validate, generate, mutate and verify images rules properties: generate: description: Count for generate rules in policy @@ -9167,10 +8234,9 @@ spec: policy is generated from the policy or not type: boolean message: - description: Message is a human readable message indicating details - about the generation of validating admission policy It is an - empty string when validating admission policy is successfully - generated. + description: |- + Message is a human readable message indicating details about the generation of validating admission policy + It is an empty string when validating admission policy is successfully generated. type: string required: - generated @@ -9232,14 +8298,19 @@ spec: for matching resources. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -9248,94 +8319,98 @@ spec: properties: admission: default: true - description: Admission controls if rules are applied during admission. + description: |- + Admission controls if rules are applied during admission. Optional. Default value is "true". type: boolean applyRules: - description: ApplyRules controls how rules in a policy are applied. - Rule are processed in the order of declaration. When set to `One` - processing stops after a rule has been applied i.e. the rule matches - and results in a pass, fail, or error. When set to `All` all rules - in the policy are processed. The default is `All`. + description: |- + ApplyRules controls how rules in a policy are applied. Rule are processed in + the order of declaration. When set to `One` processing stops after a rule has + been applied i.e. the rule matches and results in a pass, fail, or error. When + set to `All` all rules in the policy are processed. The default is `All`. enum: - All - One type: string background: default: true - description: Background controls if rules are applied to existing - resources during a background scan. Optional. Default value is "true". - The value must be set to "false" if the policy rule uses variables - that are only available in the admission review request (e.g. user - name). + description: |- + Background controls if rules are applied to existing resources during a background scan. + Optional. Default value is "true". The value must be set to "false" if the policy rule + uses variables that are only available in the admission review request (e.g. user name). type: boolean failurePolicy: - description: FailurePolicy defines how unexpected policy errors and - webhook response timeout errors are handled. Rules within the same - policy share the same failure behavior. Allowed values are Ignore - or Fail. Defaults to Fail. + description: |- + FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. + Rules within the same policy share the same failure behavior. + Allowed values are Ignore or Fail. Defaults to Fail. enum: - Ignore - Fail type: string generateExisting: - description: GenerateExisting controls whether to trigger generate - rule in existing resources If is set to "true" generate rule will - be triggered and applied to existing matched resources. Defaults - to "false" if not specified. + description: |- + GenerateExisting controls whether to trigger generate rule in existing resources + If is set to "true" generate rule will be triggered and applied to existing matched resources. + Defaults to "false" if not specified. type: boolean generateExistingOnPolicyUpdate: description: Deprecated, use generateExisting instead type: boolean mutateExistingOnPolicyUpdate: - description: MutateExistingOnPolicyUpdate controls if a mutateExisting - policy is applied on policy events. Default value is "false". + description: |- + MutateExistingOnPolicyUpdate controls if a mutateExisting policy is applied on policy events. + Default value is "false". type: boolean rules: - description: Rules is a list of Rule instances. A Policy contains - multiple rules and each rule can validate, mutate, or generate resources. + description: |- + Rules is a list of Rule instances. A Policy contains multiple rules and + each rule can validate, mutate, or generate resources. items: - description: Rule defines a validation, mutation, or generation - control for matching resources. Each rules contains a match declaration - to select resources, and an optional exclude declaration to specify - which resources to exclude. + description: |- + Rule defines a validation, mutation, or generation control for matching resources. + Each rules contains a match declaration to select resources, and an optional exclude + declaration to specify which resources to exclude. properties: celPreconditions: - description: CELPreconditions are used to determine if a policy - rule should be applied by evaluating a set of CEL conditions. - It can only be used with the validate.cel subrule + description: |- + CELPreconditions are used to determine if a policy rule should be applied by evaluating a + set of CEL conditions. It can only be used with the validate.cel subrule items: description: MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook. properties: expression: - description: "Expression represents the expression which - will be evaluated by CEL. Must evaluate to bool. CEL - expressions have access to the contents of the AdmissionRequest - and Authorizer, organized into CEL variables: \n 'object' - - The object from the incoming request. The value is - null for DELETE requests. 'oldObject' - The existing - object. The value is null for CREATE requests. 'request' - - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). - 'authorizer' - A CEL Authorizer. May be used to perform - authorization checks for the principal (user or service - account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - 'authorizer.requestResource' - A CEL ResourceCheck constructed - from the 'authorizer' and configured with the request - resource. Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ - \n Required." + description: |- + Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. + CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: + + + 'object' - The object from the incoming request. The value is null for DELETE requests. + 'oldObject' - The existing object. The value is null for CREATE requests. + 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. + See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the + request resource. + Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ + + + Required. type: string name: - description: "Name is an identifier for this match condition, - used for strategic merging of MatchConditions, as well - as providing an identifier for logging purposes. A good - name should be descriptive of the associated expression. - Name must be a qualified name consisting of alphanumeric - characters, '-', '_' or '.', and must start and end - with an alphanumeric character (e.g. 'MyName', or 'my.name', - \ or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') - with an optional DNS subdomain prefix and '/' (e.g. - 'example.com/MyName') \n Required." + description: |- + Name is an identifier for this match condition, used for strategic merging of MatchConditions, + as well as providing an identifier for logging purposes. A good name should be descriptive of + the associated expression. + Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and + must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or + '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an + optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') + + + Required. type: string required: - expression @@ -9346,15 +8421,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data sources - to a rule Context. Either a ConfigMap reference or a APILookup - must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the Kubernetes - API server, or other JSON web service. The data returned - is stored in the context with the name for the context - entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data sent to @@ -9376,13 +8450,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the JSON response - returned from the server. For example a JMESPath - of "items | length(@)" applied to the API server - response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across - all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -9397,22 +8470,24 @@ spec: service properties: caBundle: - description: CABundle is a PEM encoded CA bundle - which will be used to validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web service URL. - A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to be used in - the HTTP GET or POST request to the Kubernetes API - server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used by the - `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -9429,8 +8504,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests to an OCI/Docker - V2 registry to fetch image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials provides credentials @@ -9441,10 +8517,9 @@ spec: access to a registry. type: boolean providers: - description: 'Providers specifies a list of OCI - Registry names, whose authentication providers - are provided. It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers @@ -9458,21 +8533,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets - that are provided for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the ImageData struct - returned as a result of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference to a container - image in the registry. Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -9485,13 +8562,14 @@ spec: variable that can be defined inline. properties: default: - description: Default is an optional arbitrary JSON - object that the variable may take if the JMESPath + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath Expression - that can be used to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON object representable @@ -9501,10 +8579,10 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when this policy rule - should not be applied. The exclude criteria can include resource - information (e.g. kind, name, namespace, labels) and admission - review request information like the name or role. + description: |- + ExcludeResources defines when this policy rule should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. properties: all: description: All allows specifying resources which will @@ -9526,11 +8604,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -9538,58 +8615,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -9602,20 +8670,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -9635,42 +8700,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -9683,12 +8741,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -9703,32 +8759,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -9759,11 +8810,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -9771,58 +8821,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -9835,20 +8876,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -9868,42 +8906,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -9916,12 +8947,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -9936,32 +8965,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -9980,10 +9004,10 @@ spec: description: APIVersion specifies resource apiVersion. type: string clone: - description: Clone specifies the source resource used to - populate each generated resource. At most one of Data - or Clone can be specified. If neither are provided, the - generated resource will be created with default data only. + description: |- + Clone specifies the source resource used to populate each generated resource. + At most one of Data or Clone can be specified. If neither are provided, the generated + resource will be created with default data only. properties: name: description: Name specifies name of the resource. @@ -10005,34 +9029,33 @@ spec: description: Namespace specifies source resource namespace. type: string selector: - description: Selector is a label selector. Label keys - and values in `matchLabels`. wildcard characters are - not supported. + description: |- + Selector is a label selector. Label keys and values in `matchLabels`. + wildcard characters are not supported. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -10044,21 +9067,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object data: - description: Data provides the resource declaration used - to populate each generated resource. At most one of Data - or Clone must be specified. If neither are provided, the - generated resource will be created with default data only. + description: |- + Data provides the resource declaration used to populate each generated resource. + At most one of Data or Clone must be specified. If neither are provided, the generated + resource will be created with default data only. x-kubernetes-preserve-unknown-fields: true kind: description: Kind specifies resource kind. @@ -10070,12 +9091,11 @@ spec: description: Namespace specifies resource namespace. type: string synchronize: - description: Synchronize controls if generated resources - should be kept in-sync with their source resource. If - Synchronize is set to "true" changes to generated resources - will be overwritten with resource data from Data or the - resource specified in the Clone declaration. Optional. - Defaults to "false" if not specified. + description: |- + Synchronize controls if generated resources should be kept in-sync with their source resource. + If Synchronize is set to "true" changes to generated resources will be overwritten with resource + data from Data or the resource specified in the Clone declaration. + Optional. Defaults to "false" if not specified. type: boolean uid: description: UID specifies the resource uid. @@ -10086,50 +9106,47 @@ spec: items: properties: jmesPath: - description: 'JMESPath is an optional JMESPath expression - to apply to the image value. This is useful when the - extracted image begins with a prefix like ''docker://''. - The ''trim_prefix'' function may be used to trim the - prefix: trim_prefix(@, ''docker://''). Note - Image - digest mutation may not be used when applying a JMESPAth - to an image.' + description: |- + JMESPath is an optional JMESPath expression to apply to the image value. + This is useful when the extracted image begins with a prefix like 'docker://'. + The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://'). + Note - Image digest mutation may not be used when applying a JMESPAth to an image. type: string key: - description: Key is an optional name of the field within - 'path' that will be used to uniquely identify an image. + description: |- + Key is an optional name of the field within 'path' that will be used to uniquely identify an image. Note - this field MUST be unique. type: string name: - description: Name is the entry the image will be available - under 'images.' in the context. If this field - is not defined, image entries will appear under 'images.custom'. + description: |- + Name is the entry the image will be available under 'images.' in the context. + If this field is not defined, image entries will appear under 'images.custom'. type: string path: - description: Path is the path to the object containing - the image field in a custom resource. It should be - slash-separated. Each slash-separated key must be - a valid YAML key or a wildcard '*'. Wildcard keys - are expanded in case of arrays or objects. + description: |- + Path is the path to the object containing the image field in a custom resource. + It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'. + Wildcard keys are expanded in case of arrays or objects. type: string value: - description: Value is an optional name of the field - within 'path' that points to the image URI. This is - useful when a custom 'key' is also defined. + description: |- + Value is an optional name of the field within 'path' that points to the image URI. + This is useful when a custom 'key' is also defined. type: string required: - path type: object type: array - description: ImageExtractors defines a mapping from kinds to - ImageExtractorConfigs. This config is only valid for verifyImages - rules. + description: |- + ImageExtractors defines a mapping from kinds to ImageExtractorConfigs. + This config is only valid for verifyImages rules. type: object match: - description: MatchResources defines when this policy rule should - be applied. The match criteria can include resource information - (e.g. kind, name, namespace, labels) and admission review - request information like the user name or role. At least one - kind is required. + description: |- + MatchResources defines when this policy rule should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. + At least one kind is required. properties: all: description: All allows specifying resources which will @@ -10151,11 +9168,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -10163,58 +9179,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -10227,20 +9234,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -10260,42 +9264,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -10308,12 +9305,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -10328,32 +9323,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -10384,11 +9374,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -10396,58 +9385,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -10460,20 +9440,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -10493,42 +9470,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -10541,12 +9511,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -10561,32 +9529,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -10615,15 +9578,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data @@ -10645,14 +9607,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -10667,25 +9627,24 @@ spec: JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate the server certificate. type: string url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -10703,8 +9662,8 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. properties: imageRegistryCredentials: @@ -10717,11 +9676,9 @@ spec: insecure access to a registry. type: boolean providers: - description: 'Providers specifies a - list of OCI Registry names, whose - authentication providers are provided. - It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -10735,23 +9692,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list - of secrets that are provided for credentials. + description: |- + Secrets specifies a list of secrets that are provided for credentials. Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -10764,15 +9721,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON @@ -10785,42 +9741,41 @@ spec: description: Foreach declares a nested foreach iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which the - validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string order: - description: Order defines the iteration order on - the list. Can be Ascending to iterate from first - to last element or Descending to iterate in from - last to first element. + description: |- + Order defines the iteration order on the list. + Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element. enum: - Ascending - Descending type: string patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge - patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 - JSON Patch declarations used to modify resources. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, all of the conditions need to - pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -10834,13 +9789,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -10860,20 +9813,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, at least one of the conditions - need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -10887,13 +9838,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -10913,10 +9862,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -10925,14 +9873,15 @@ spec: type: object type: array patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge patch - used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON - Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string targets: description: Targets defines the target resources to be @@ -10948,15 +9897,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data @@ -10978,14 +9926,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -11000,25 +9946,24 @@ spec: JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate the server certificate. type: string url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -11036,8 +9981,8 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. properties: imageRegistryCredentials: @@ -11050,11 +9995,9 @@ spec: insecure access to a registry. type: boolean providers: - description: 'Providers specifies a - list of OCI Registry names, whose - authentication providers are provided. - It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -11068,23 +10011,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list - of secrets that are provided for credentials. + description: |- + Secrets specifies a list of secrets that are provided for credentials. Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -11097,15 +10040,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON @@ -11124,13 +10066,12 @@ spec: description: Namespace specifies resource namespace. type: string preconditions: - description: 'Preconditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. A direct list - of conditions (without `any` or `all` statements - is supported for backwards compatibility but will - be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true uid: description: UID specifies the resource uid. @@ -11144,17 +10085,17 @@ spec: maxLength: 63 type: string preconditions: - description: 'Preconditions are used to determine if a policy - rule should be applied by evaluating a set of conditions. - The declaration can contain nested `any` or `all` statements. - See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based conditional - rule execution. This is useful for finer control of when - an rule is applied. A condition can reference object data - using JMESPath notation. Here, all of the conditions need - to pass. + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass. items: properties: key: @@ -11165,11 +10106,11 @@ spec: description: Message is an optional display message type: string operator: - description: 'Operator is the conditional operation - to perform. Valid operators are: Equals, NotEquals, - In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -11187,18 +10128,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, or set - of values. The values can be fixed set or can be - variables declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based conditional - rule execution. This is useful for finer control of when - an rule is applied. A condition can reference object data - using JMESPath notation. Here, at least one of the conditions - need to pass. + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass. items: properties: key: @@ -11209,11 +10150,11 @@ spec: description: Message is an optional display message type: string operator: - description: 'Operator is the conditional operation - to perform. Valid operators are: Equals, NotEquals, - In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -11231,27 +10172,27 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, or set - of values. The values can be fixed set or can be - variables declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array type: object skipBackgroundRequests: default: true - description: SkipBackgroundRequests bypasses admission requests - that are sent by the background controller. The default value - is set to "true", it must be set to "false" to apply generate - and mutateExisting rules to those requests. + description: |- + SkipBackgroundRequests bypasses admission requests that are sent by the background controller. + The default value is set to "true", it must be set to "false" to apply + generate and mutateExisting rules to those requests. type: boolean validate: description: Validation is used to validate matching resources. properties: anyPattern: - description: AnyPattern specifies list of validation patterns. - At least one of the patterns must be satisfied for the - validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true cel: description: CEL allows validation checks using the Common @@ -11266,39 +10207,45 @@ spec: an audit annotation for an API request. properties: key: - description: "key specifies the audit annotation - key. The audit annotation keys of a ValidatingAdmissionPolicy - must be unique. The key must be a qualified - name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than - 63 bytes in length. \n The key is combined with - the resource name of the ValidatingAdmissionPolicy - to construct an audit annotation key: \"{ValidatingAdmissionPolicy - name}/{key}\". \n If an admission webhook uses - the same resource name as this ValidatingAdmissionPolicy - and the same audit annotation key, the annotation - key will be identical. In this case, the first - annotation written with the key will be included - in the audit event and all subsequent annotations - with the same key will be discarded. \n Required." + description: |- + key specifies the audit annotation key. The audit annotation keys of + a ValidatingAdmissionPolicy must be unique. The key must be a qualified + name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length. + + + The key is combined with the resource name of the + ValidatingAdmissionPolicy to construct an audit annotation key: + "{ValidatingAdmissionPolicy name}/{key}". + + + If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy + and the same audit annotation key, the annotation key will be identical. + In this case, the first annotation written with the key will be included + in the audit event and all subsequent annotations with the same key + will be discarded. + + + Required. type: string valueExpression: - description: "valueExpression represents the expression - which is evaluated by CEL to produce an audit - annotation value. The expression must evaluate - to either a string or null value. If the expression - evaluates to a string, the audit annotation - is included with the string value. If the expression - evaluates to null or empty string the audit - annotation will be omitted. The valueExpression - may be no longer than 5kb in length. If the - result of the valueExpression is more than 10kb - in length, it will be truncated to 10kb. \n - If multiple ValidatingAdmissionPolicyBinding - resources match an API request, then the valueExpression - will be evaluated for each binding. All unique - values produced by the valueExpressions will - be joined together in a comma-separated list. - \n Required." + description: |- + valueExpression represents the expression which is evaluated by CEL to + produce an audit annotation value. The expression must evaluate to either + a string or null value. If the expression evaluates to a string, the + audit annotation is included with the string value. If the expression + evaluates to null or empty string the audit annotation will be omitted. + The valueExpression may be no longer than 5kb in length. + If the result of the valueExpression is more than 10kb in length, it + will be truncated to 10kb. + + + If multiple ValidatingAdmissionPolicyBinding resources match an + API request, then the valueExpression will be evaluated for + each binding. All unique values produced by the valueExpressions + will be joined together in a comma-separated list. + + + Required. type: string required: - key @@ -11314,113 +10261,99 @@ spec: properties: expression: description: "Expression represents the expression - which will be evaluated by CEL. ref: https://github.com/google/cel-spec - CEL expressions have access to the contents - of the API request/response, organized into - CEL variables as well as some other useful variables: - \n - 'object' - The object from the incoming - request. The value is null for DELETE requests. - - 'oldObject' - The existing object. The value - is null for CREATE requests. - 'request' - Attributes - of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - - 'params' - Parameter resource referred to - by the policy binding being evaluated. Only - populated if the policy has a ParamKind. - 'namespaceObject' + which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL + expressions have access to the contents of the + API request/response, organized into CEL variables + as well as some other useful variables:\n\n\n- + 'object' - The object from the incoming request. + The value is null for DELETE requests.\n- 'oldObject' + - The existing object. The value is null for + CREATE requests.\n- 'request' - Attributes of + the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- + 'params' - Parameter resource referred to by + the policy binding being evaluated. Only populated + if the policy has a ParamKind.\n- 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped - resources. - 'variables' - Map of composited + resources.\n- 'variables' - Map of composited variables, from its name to its lazily evaluated - value. For example, a variable named 'foo' can - be accessed as 'variables.foo'. - 'authorizer' + value.\n For example, a variable named 'foo' + can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) - of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - - 'authorizer.requestResource' - A CEL ResourceCheck + of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured - with the request resource. \n The `apiVersion`, + with the\n request resource.\n\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` - are always accessible from the root of the object. - No other metadata properties are accessible. - \n Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` - are accessible. Accessible property names are + are always accessible from the root of the\nobject. + No other metadata properties are accessible.\n\n\nOnly + property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` + are accessible.\nAccessible property names are escaped according to the following rules when - accessed in the expression: - '__' escapes to - '__underscores__' - '.' escapes to '__dot__' - - '-' escapes to '__dash__' - '/' escapes to - '__slash__' - Property names that exactly match + accessed in the expression:\n- '__' escapes + to '__underscores__'\n- '.' escapes to '__dot__'\n- + '-' escapes to '__dash__'\n- '/' escapes to + '__slash__'\n- Property names that exactly match a CEL RESERVED keyword escape to '__{keyword}__'. - The keywords are: \"true\", \"false\", \"null\", - \"in\", \"as\", \"break\", \"const\", \"continue\", - \"else\", \"for\", \"function\", \"if\", \"import\", - \"let\", \"loop\", \"package\", \"namespace\", - \"return\". Examples: - Expression accessing - a property named \"namespace\": {\"Expression\": - \"object.__namespace__ > 0\"} - Expression accessing - a property named \"x-prop\": {\"Expression\": - \"object.x__dash__prop > 0\"} - Expression accessing - a property named \"redact__d\": {\"Expression\": - \"object.redact__underscores__d > 0\"} \n Equality - on arrays with list type of 'set' or 'map' ignores - element order, i.e. [1, 2] == [2, 1]. Concatenation - on arrays with x-kubernetes-list-type use the - semantics of the list type: - 'set': `X + Y` - performs a union where the array positions of - all elements in `X` are preserved and non-intersecting + The keywords are:\n\t \"true\", \"false\", + \"null\", \"in\", \"as\", \"break\", \"const\", + \"continue\", \"else\", \"for\", \"function\", + \"if\",\n\t \"import\", \"let\", \"loop\", + \"package\", \"namespace\", \"return\".\nExamples:\n + \ - Expression accessing a property named \"namespace\": + {\"Expression\": \"object.__namespace__ > 0\"}\n + \ - Expression accessing a property named \"x-prop\": + {\"Expression\": \"object.x__dash__prop > 0\"}\n + \ - Expression accessing a property named \"redact__d\": + {\"Expression\": \"object.redact__underscores__d + > 0\"}\n\n\nEquality on arrays with list type + of 'set' or 'map' ignores element order, i.e. + [1, 2] == [2, 1].\nConcatenation on arrays with + x-kubernetes-list-type use the semantics of + the list type:\n - 'set': `X + Y` performs + a union where the array positions of all elements + in `X` are preserved and\n non-intersecting elements in `Y` are appended, retaining their - partial order. - 'map': `X + Y` performs a merge - where the array positions of all keys in `X` - are preserved but the values are overwritten - by values in `Y` when the key sets of `X` and - `Y` intersect. Elements in `Y` with non-intersecting - keys are appended, retaining their partial order. - Required." + partial order.\n - 'map': `X + Y` performs + a merge where the array positions of all keys + in `X` are preserved but the values\n are + overwritten by values in `Y` when the key sets + of `X` and `Y` intersect. Elements in `Y` with\n + \ non-intersecting keys are appended, retaining + their partial order.\nRequired." type: string message: - description: 'Message represents the message displayed - when validation fails. The message is required - if the Expression contains line breaks. The - message must not contain line breaks. If unset, - the message is "failed rule: {Rule}". e.g. "must - be a URL with the host matching spec.host" If - the Expression contains line breaks. Message - is required. The message must not contain line - breaks. If unset, the message is "failed Expression: - {Expression}".' + description: |- + Message represents the message displayed when validation fails. The message is required if the Expression contains + line breaks. The message must not contain line breaks. + If unset, the message is "failed rule: {Rule}". + e.g. "must be a URL with the host matching spec.host" + If the Expression contains line breaks. Message is required. + The message must not contain line breaks. + If unset, the message is "failed Expression: {Expression}". type: string messageExpression: - description: 'messageExpression declares a CEL - expression that evaluates to the validation - failure message that is returned when this rule - fails. Since messageExpression is used as a - failure message, it must evaluate to a string. - If both message and messageExpression are present - on a validation, then messageExpression will - be used if validation fails. If messageExpression - results in a runtime error, the runtime error - is logged, and the validation failure message - is produced as if the messageExpression field - were unset. If messageExpression evaluates to - an empty string, a string with only spaces, - or a string that contains line breaks, then - the validation failure message will also be - produced as if the messageExpression field were - unset, and the fact that messageExpression produced - an empty string/string with only spaces/string - with line breaks will be logged. messageExpression - has access to all the same variables as the - `expression` except for ''authorizer'' and ''authorizer.requestResource''. - Example: "object.x must be less than max ("+string(params.max)+")"' + description: |- + messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. + Since messageExpression is used as a failure message, it must evaluate to a string. + If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. + If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced + as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string + that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and + the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. + messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'. + Example: + "object.x must be less than max ("+string(params.max)+")" type: string reason: - description: 'Reason represents a machine-readable - description of why this validation failed. If - this is the first validation in the list to - fail, this reason, as well as the corresponding - HTTP response code, are used in the HTTP response - to the client. The currently supported reasons - are: "Unauthorized", "Forbidden", "Invalid", - "RequestEntityTooLarge". If not set, StatusReasonInvalid - is used in the response to the client.' + description: |- + Reason represents a machine-readable description of why this validation failed. + If this is the first validation in the list to fail, this reason, as well as the + corresponding HTTP response code, are used in the + HTTP response to the client. + The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge". + If not set, StatusReasonInvalid is used in the response to the client. type: string required: - expression @@ -11431,13 +10364,15 @@ spec: Version. properties: apiVersion: - description: APIVersion is the API group version - the resources belong to. In format of "group/version". + description: |- + APIVersion is the API group version the resources belong to. + In format of "group/version". Required. type: string kind: - description: Kind is the API kind the resources - belong to. Required. + description: |- + Kind is the API kind the resources belong to. + Required. type: string type: object x-kubernetes-map-type: atomic @@ -11445,77 +10380,82 @@ spec: description: ParamRef references a parameter resource. properties: name: - description: "`name` is the name of the resource - being referenced. \n `name` and `selector` are - mutually exclusive properties. If one is set, - the other must be unset." + description: |- + `name` is the name of the resource being referenced. + + + `name` and `selector` are mutually exclusive properties. If one is set, + the other must be unset. type: string namespace: - description: "namespace is the namespace of the - referenced resource. Allows limiting the search - for params to a specific namespace. Applies to - both `name` and `selector` fields. \n A per-namespace - parameter may be used by specifying a namespace-scoped - `paramKind` in the policy and leaving this field - empty. \n - If `paramKind` is cluster-scoped, - this field MUST be unset. Setting this field results - in a configuration error. \n - If `paramKind` - is namespace-scoped, the namespace of the object - being evaluated for admission will be used when - this field is left unset. Take care that if this - is left empty the binding must not match any cluster-scoped - resources, which will result in an error." + description: |- + namespace is the namespace of the referenced resource. Allows limiting + the search for params to a specific namespace. Applies to both `name` and + `selector` fields. + + + A per-namespace parameter may be used by specifying a namespace-scoped + `paramKind` in the policy and leaving this field empty. + + + - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this + field results in a configuration error. + + + - If `paramKind` is namespace-scoped, the namespace of the object being + evaluated for admission will be used when this field is left unset. Take + care that if this is left empty the binding must not match any cluster-scoped + resources, which will result in an error. type: string parameterNotFoundAction: - description: "`parameterNotFoundAction` controls - the behavior of the binding when the resource - exists, and name or selector is valid, but there - are no parameters matched by the binding. If the - value is set to `Allow`, then no matched parameters - will be treated as successful validation by the - binding. If set to `Deny`, then no matched parameters - will be subject to the `failurePolicy` of the - policy. \n Allowed values are `Allow` or `Deny` - Default to `Deny`" + description: |- + `parameterNotFoundAction` controls the behavior of the binding when the resource + exists, and name or selector is valid, but there are no parameters + matched by the binding. If the value is set to `Allow`, then no + matched parameters will be treated as successful validation by the binding. + If set to `Deny`, then no matched parameters will be subject to the + `failurePolicy` of the policy. + + + Allowed values are `Allow` or `Deny` + Default to `Deny` type: string selector: - description: "selector can be used to match multiple - param objects based on their labels. Supply selector: - {} to match all resources of the ParamKind. \n - If multiple params are found, they are all evaluated - with the policy expressions and the results are - ANDed together. \n One of `name` or `selector` - must be set, but `name` and `selector` are mutually - exclusive properties. If one is set, the other - must be unset." + description: |- + selector can be used to match multiple param objects based on their labels. + Supply selector: {} to match all resources of the ParamKind. + + + If multiple params are found, they are all evaluated with the policy expressions + and the results are ANDed together. + + + One of `name` or `selector` must be set, but `name` and `selector` are + mutually exclusive properties. If one is set, the other must be unset. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -11528,40 +10468,34 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object x-kubernetes-map-type: atomic variables: - description: Variables contain definitions of variables - that can be used in composition of other expressions. + description: |- + Variables contain definitions of variables that can be used in composition of other expressions. Each variable is defined as a named CEL expression. - The variables defined here will be available under - `variables` in other expressions of the policy. + The variables defined here will be available under `variables` in other expressions of the policy. items: description: Variable is the definition of a variable that is used for composition. properties: expression: - description: Expression is the expression that - will be evaluated as the value of the variable. - The CEL expression has access to the same identifiers - as the CEL expressions in Validation. + description: |- + Expression is the expression that will be evaluated as the value of the variable. + The CEL expression has access to the same identifiers as the CEL expressions in Validation. type: string name: - description: Name is the name of the variable. - The name must be a valid CEL identifier and - unique among all variables. The variable can - be accessed in other expressions through `variables` - For example, if name is "foo", the variable - will be available as `variables.foo` + description: |- + Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables. + The variable can be accessed in other expressions through `variables` + For example, if name is "foo", the variable will be available as `variables.foo` type: string required: - expression @@ -11574,14 +10508,15 @@ spec: a validation rule. properties: conditions: - description: 'Multiple conditions can be declared under - an `any` or `all` statement. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + description: |- + Multiple conditions can be declared under an `any` or `all` statement. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A condition - can reference object data using JMESPath notation. + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. Here, all of the conditions need to pass. items: properties: @@ -11594,13 +10529,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators are: - Equals, NotEquals, In, AnyIn, AllIn, NotIn, - AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -11618,17 +10551,17 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A condition - can reference object data using JMESPath notation. + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. Here, at least one of the conditions need to pass. items: properties: @@ -11641,13 +10574,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators are: - Equals, NotEquals, In, AnyIn, AllIn, NotIn, - AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -11665,9 +10596,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -11684,23 +10615,22 @@ spec: the specified logic. properties: anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must be satisfied - for the validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true context: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data @@ -11722,14 +10652,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -11744,25 +10672,24 @@ spec: JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate the server certificate. type: string url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -11780,8 +10707,8 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. properties: imageRegistryCredentials: @@ -11794,11 +10721,9 @@ spec: insecure access to a registry. type: boolean providers: - description: 'Providers specifies a - list of OCI Registry names, whose - authentication providers are provided. - It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -11812,23 +10737,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list - of secrets that are provided for credentials. + description: |- + Secrets specifies a list of secrets that are provided for credentials. Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -11841,15 +10766,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON @@ -11863,47 +10787,43 @@ spec: or fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct - list of conditions (without `any` or `all` statements) - is also supported for backwards compatibility + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object elementScope: - description: ElementScope specifies whether to use - the current list element as the scope for validation. - Defaults to "true" if not specified. When set to - "false", "request.object" is used as the validation - scope within the foreach block to allow referencing - other elements in the subtree. + description: |- + ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified. + When set to "false", "request.object" is used as the validation scope within the foreach + block to allow referencing other elements in the subtree. type: boolean foreach: description: Foreach declares a nested foreach iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which the - validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string pattern: description: Pattern specifies an overlay-style pattern used to check resources. x-kubernetes-preserve-unknown-fields: true preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, all of the conditions need to - pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -11917,13 +10837,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -11943,20 +10861,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, at least one of the conditions - need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -11970,13 +10886,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -11996,10 +10910,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -12021,31 +10934,25 @@ spec: items: properties: count: - description: Count specifies the required number - of entries that must match. If the count is - null, all entries must match (a logical AND). - If the count is 1, at least one entry must match - (a logical OR). If the count contains a value - N, then N must be less than or equal to the - size of entries, and at least N entries must - match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available attestors. - An attestor can be a static key, attributes - for keyless verification, or a nested attestor - declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for image - verification. Every specified key-value - pair must exist and match in the verified - payload. The payload may contain other - key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set of @@ -12066,19 +10973,14 @@ spec: to verify. type: string ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate Timestamps - (SCTs). If the value is unset, the - default behavior by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate - Timestamp (SCT) log to check for - a certificate timestamp. Default - is false. Set to true if this - was opted out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -12086,33 +10988,25 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the root - CA certificate. Optionally may - contain intermediate CA certificates, - and may contain the leaf TSA certificate - if not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use - for a custom Rekor. If set, this - will be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -12123,8 +11017,8 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: @@ -12135,19 +11029,14 @@ spec: signing. type: object ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate Timestamps - (SCTs). If the value is unset, the - default behavior by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate - Timestamp (SCT) log to check for - a certificate timestamp. Default - is false. Set to true if this - was opted out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -12155,14 +11044,10 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the root - CA certificate. Optionally may - contain intermediate CA certificates, - and may contain the leaf TSA certificate - if not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -12170,22 +11055,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use - for a custom Rekor. If set, this - will be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -12195,10 +11076,9 @@ spec: type: string type: object roots: - description: Roots is an optional set - of PEM encoded trusted root certificates. - If not provided, the system roots - are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -12211,19 +11091,14 @@ spec: public keys. properties: ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate Timestamps - (SCTs). If the value is unset, the - default behavior by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate - Timestamp (SCT) log to check for - a certificate timestamp. Default - is false. Set to true if this - was opted out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -12231,57 +11106,41 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the root - CA certificate. Optionally may - contain intermediate CA certificates, - and may contain the leaf TSA certificate - if not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI to - the public key stored in a Key Management - System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image signatures. - The keys can be directly specified - or can be a variable reference to - a key specified in a ConfigMap (see - https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster by - specifying it in the format "k8s:///". - The named Secret must specify a key - `cosign.pub` containing the public - key used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each - key is processed as a separate staticKey - entry (.attestors[*].entries.keys) - within the set of attestors and the - count is applied across the keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use - for a custom Rekor. If set, this - will be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -12315,12 +11174,9 @@ spec: type: string type: object repository: - description: Repository is an optional alternate - OCI repository to use for signatures and - attestations that match this rule. If - specified Repository will override other - OCI image repository locations for this - Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -12361,9 +11217,9 @@ spec: type: object type: array repository: - description: Repository is an optional alternate OCI - repository to use for resource bundle reference. The - repository can be overridden per Attestor or Attestation. + description: |- + Repository is an optional alternate OCI repository to use for resource bundle reference. + The repository can be overridden per Attestor or Attestation. type: string type: object message: @@ -12375,9 +11231,9 @@ spec: used to check resources. x-kubernetes-preserve-unknown-fields: true podSecurity: - description: PodSecurity applies exemptions for Kubernetes - Pod Security admission by specifying exclusions for Pod - Security Standards controls. + description: |- + PodSecurity applies exemptions for Kubernetes Pod Security admission + by specifying exclusions for Pod Security Standards controls. properties: exclude: description: Exclude specifies the Pod Security Standard @@ -12387,8 +11243,9 @@ spec: Security Standard controls to be excluded. properties: controlName: - description: 'ControlName specifies the name of - the Pod Security Standard control. See: https://kubernetes.io/docs/concepts/security/pod-security-standards/' + description: |- + ControlName specifies the name of the Pod Security Standard control. + See: https://kubernetes.io/docs/concepts/security/pod-security-standards/ enum: - HostProcess - Host Namespaces @@ -12407,13 +11264,11 @@ spec: - Running as Non-root user type: string images: - description: 'Images selects matching containers - and applies the container level PSS. Each image - is the image name consisting of the registry - address, repository, image, and tag. Empty list - matches no containers, PSS checks are applied - at the pod level only. Wildcards (''*'' and - ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' + description: |- + Images selects matching containers and applies the container level PSS. + Each image is the image name consisting of the registry address, repository, image, and tag. + Empty list matches no containers, PSS checks are applied at the pod level only. + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -12422,19 +11277,18 @@ spec: type: object type: array level: - description: Level defines the Pod Security Standard - level to be applied to workloads. Allowed values are - privileged, baseline, and restricted. + description: |- + Level defines the Pod Security Standard level to be applied to workloads. + Allowed values are privileged, baseline, and restricted. enum: - privileged - baseline - restricted type: string version: - description: Version defines the Pod Security Standard - versions that Kubernetes supports. Allowed values - are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, - v1.26, latest. Defaults to latest. + description: |- + Version defines the Pod Security Standard versions that Kubernetes supports. + Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, latest. Defaults to latest. enum: - v1.19 - v1.20 @@ -12452,22 +11306,21 @@ spec: description: VerifyImages is used to verify image signatures and mutate them to add a digest items: - description: ImageVerification validates that images that - match the specified pattern are signed with the supplied - public key. Once the image is verified it is mutated to - include the SHA digest retrieved during the registration. + description: |- + ImageVerification validates that images that match the specified pattern + are signed with the supplied public key. Once the image is verified it is + mutated to include the SHA digest retrieved during the registration. properties: attestations: - description: Attestations are optional checks for signed - in-toto Statements used to verify the image. See https://github.com/in-toto/attestation. - Kyverno fetches signed attestations from the OCI registry - and decodes them into a list of Statement declarations. + description: |- + Attestations are optional checks for signed in-toto Statements used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statement declarations. items: - description: Attestation are checks for signed in-toto - Statements that are used to verify the image. See - https://github.com/in-toto/attestation. Kyverno fetches - signed attestations from the OCI registry and decodes - them into a list of Statements. + description: |- + Attestation are checks for signed in-toto Statements that are used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statements. properties: attestors: description: Attestors specify the required attestors @@ -12475,31 +11328,25 @@ spec: items: properties: count: - description: Count specifies the required - number of entries that must match. If the - count is null, all entries must match (a - logical AND). If the count is 1, at least - one entry must match (a logical OR). If - the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or - a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set @@ -12520,21 +11367,14 @@ spec: used to verify. type: string ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -12542,36 +11382,25 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -12582,9 +11411,9 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless - attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: additionalProperties: @@ -12594,21 +11423,14 @@ spec: for keyless signing. type: object ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -12616,15 +11438,10 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -12632,24 +11449,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -12659,10 +11470,9 @@ spec: type: string type: object roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, - the system roots are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -12675,21 +11485,14 @@ spec: public keys. properties: ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -12697,63 +11500,41 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI - to the public key stored in a - Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable - reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -12789,37 +11570,30 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository - will override other OCI image repository - locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array type: object type: array conditions: - description: Conditions are used to verify attributes - within a Predicate. If no Conditions are specified - the attestation check is satisfied as long there - are predicates that match the predicate type. + description: |- + Conditions are used to verify attributes within a Predicate. If no Conditions are specified + the attestation check is satisfied as long there are predicates that match the predicate type. items: - description: AnyAllConditions consists of conditions - wrapped denoting a logical criteria to be fulfilled. - AnyConditions get fulfilled when at least one - of its sub-conditions passes. AllConditions - get fulfilled only when all of its sub-conditions - pass. + description: |- + AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled. + AnyConditions get fulfilled when at least one of its sub-conditions passes. + AllConditions get fulfilled only when all of its sub-conditions pass. properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -12834,14 +11608,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -12861,20 +11632,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -12889,14 +11658,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -12916,10 +11682,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -12941,29 +11706,25 @@ spec: items: properties: count: - description: Count specifies the required number - of entries that must match. If the count is null, - all entries must match (a logical AND). If the - count is 1, at least one entry must match (a logical - OR). If the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available attestors. - An attestor can be a static key, attributes for - keyless verification, or a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for image - verification. Every specified key-value - pair must exist and match in the verified - payload. The payload may contain other key-value - pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set of Attestor @@ -12984,19 +11745,14 @@ spec: to verify. type: string ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for validation - of Signed Certificate Timestamps (SCTs). - If the value is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate Timestamp - (SCT) log to check for a certificate - timestamp. Default is false. Set - to true if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is used @@ -13004,33 +11760,25 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate chain - file for the RFC3161 timestamp authority. - Must contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use for - a custom Rekor. If set, this will - be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address of @@ -13040,8 +11788,8 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: @@ -13052,19 +11800,14 @@ spec: signing. type: object ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for validation - of Signed Certificate Timestamps (SCTs). - If the value is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate Timestamp - (SCT) log to check for a certificate - timestamp. Default is false. Set - to true if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is used @@ -13072,14 +11815,10 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate chain - file for the RFC3161 timestamp authority. - Must contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -13087,22 +11826,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use for - a custom Rekor. If set, this will - be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address of @@ -13111,10 +11846,9 @@ spec: type: string type: object roots: - description: Roots is an optional set - of PEM encoded trusted root certificates. - If not provided, the system roots are - used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified identity @@ -13127,19 +11861,14 @@ spec: keys. properties: ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for validation - of Signed Certificate Timestamps (SCTs). - If the value is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate Timestamp - (SCT) log to check for a certificate - timestamp. Default is false. Set - to true if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is used @@ -13147,56 +11876,41 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate chain - file for the RFC3161 timestamp authority. - Must contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI to - the public key stored in a Key Management - System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 public - keys used to verify image signatures. - The keys can be directly specified or - can be a variable reference to a key - specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes Secret - elsewhere in the cluster by specifying - it in the format "k8s:///". - The named Secret must specify a key - `cosign.pub` containing the public key - used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each - key is processed as a separate staticKey - entry (.attestors[*].entries.keys) within - the set of attestors and the count is - applied across the keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use for - a custom Rekor. If set, this will - be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address of @@ -13229,24 +11943,20 @@ spec: type: string type: object repository: - description: Repository is an optional alternate - OCI repository to use for signatures and - attestations that match this rule. If specified - Repository will override other OCI image - repository locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array type: object type: array imageReferences: - description: 'ImageReferences is a list of matching image - reference patterns. At least one pattern in the list - must match the image for the rule to apply. Each image - reference consists of a registry address (defaults to - docker.io), repository, image, and tag (defaults to - latest). Wildcards (''*'' and ''?'') are allowed. See: - https://kubernetes.io/docs/concepts/containers/images.' + description: |- + ImageReferences is a list of matching image reference patterns. At least one pattern in the + list must match the image for the rule to apply. Each image reference consists of a registry + address (defaults to docker.io), repository, image, and tag (defaults to latest). + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -13259,9 +11969,9 @@ spec: access to a registry. type: boolean providers: - description: 'Providers specifies a list of OCI Registry - names, whose authentication providers are provided. - It can be of one of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers required. @@ -13274,25 +11984,24 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets that - are provided for credentials. Secrets must live - in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object mutateDigest: default: true - description: MutateDigest enables replacement of image - tags with digests. Defaults to true. + description: |- + MutateDigest enables replacement of image tags with digests. + Defaults to true. type: boolean repository: - description: Repository is an optional alternate OCI repository - to use for image signatures and attestations that match - this rule. If specified Repository will override the - default OCI image repository configured for the installation. - The repository can also be overridden per Attestor or - Attestation. + description: |- + Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule. + If specified Repository will override the default OCI image repository configured for the installation. + The repository can also be overridden per Attestor or Attestation. type: string required: default: true @@ -13301,9 +12010,9 @@ spec: check. type: boolean type: - description: Type specifies the method of signature validation. - The allowed options are Cosign and Notary. By default - Cosign is used if a type is not specified. + description: |- + Type specifies the method of signature validation. The allowed options + are Cosign and Notary. By default Cosign is used if a type is not specified. enum: - Cosign - Notary @@ -13325,23 +12034,23 @@ spec: type: object type: array schemaValidation: - description: SchemaValidation skips validation checks for policies - as well as patched resources. Optional. The default value is set - to "true", it must be set to "false" to disable the validation checks. + description: |- + SchemaValidation skips validation checks for policies as well as patched resources. + Optional. The default value is set to "true", it must be set to "false" to disable the validation checks. type: boolean useServerSideApply: - description: UseServerSideApply controls whether to use server-side - apply for generate rules If is set to "true" create & update for - generate rules will use apply instead of create/update. Defaults - to "false" if not specified. + description: |- + UseServerSideApply controls whether to use server-side apply for generate rules + If is set to "true" create & update for generate rules will use apply instead of create/update. + Defaults to "false" if not specified. type: boolean validationFailureAction: default: Audit - description: ValidationFailureAction defines if a validation policy - rule violation should block the admission review request (enforce), - or allow (audit) the admission review request and report an error - in a policy report. Optional. Allowed values are audit or enforce. - The default value is "Audit". + description: |- + ValidationFailureAction defines if a validation policy rule violation should block + the admission review request (enforce), or allow (audit) the admission review request + and report an error in a policy report. Optional. + Allowed values are audit or enforce. The default value is "Audit". enum: - audit - enforce @@ -13349,9 +12058,9 @@ spec: - Enforce type: string validationFailureActionOverrides: - description: ValidationFailureActionOverrides is a Cluster Policy - attribute that specifies ValidationFailureAction namespace-wise. - It overrides ValidationFailureAction for the specified namespaces. + description: |- + ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction + namespace-wise. It overrides ValidationFailureAction for the specified namespaces. items: properties: action: @@ -13364,34 +12073,34 @@ spec: - Enforce type: string namespaceSelector: - description: A label selector is a label query over a set of - resources. The result of matchLabels and matchExpressions - are ANDed. An empty label selector matches all objects. A - null label selector matches no objects. + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. - If the operator is In or NotIn, the values array - must be non-empty. If the operator is Exists or - DoesNotExist, the values array must be empty. This - array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -13403,11 +12112,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -13418,11 +12126,10 @@ spec: type: object type: array webhookTimeoutSeconds: - description: WebhookTimeoutSeconds specifies the maximum time in seconds - allowed to apply this policy. After the configured time expires, - the admission request may fail, or may simply ignore the policy - results, based on the failure policy. The default timeout is 10s, - the value must be between 1 and 30 seconds. + description: |- + WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. + After the configured time expires, the admission request may fail, or may simply ignore the policy results, + based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds. format: int32 type: integer type: object @@ -13436,51 +12143,49 @@ spec: description: Rules is a list of Rule instances. It contains auto generated rules added for pod controllers items: - description: Rule defines a validation, mutation, or generation - control for matching resources. Each rules contains a match - declaration to select resources, and an optional exclude declaration - to specify which resources to exclude. + description: |- + Rule defines a validation, mutation, or generation control for matching resources. + Each rules contains a match declaration to select resources, and an optional exclude + declaration to specify which resources to exclude. properties: celPreconditions: - description: CELPreconditions are used to determine if a - policy rule should be applied by evaluating a set of CEL - conditions. It can only be used with the validate.cel - subrule + description: |- + CELPreconditions are used to determine if a policy rule should be applied by evaluating a + set of CEL conditions. It can only be used with the validate.cel subrule items: description: MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook. properties: expression: - description: "Expression represents the expression - which will be evaluated by CEL. Must evaluate to - bool. CEL expressions have access to the contents - of the AdmissionRequest and Authorizer, organized - into CEL variables: \n 'object' - The object from - the incoming request. The value is null for DELETE - requests. 'oldObject' - The existing object. The - value is null for CREATE requests. 'request' - Attributes - of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). - 'authorizer' - A CEL Authorizer. May be used to - perform authorization checks for the principal (user - or service account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - 'authorizer.requestResource' - A CEL ResourceCheck - constructed from the 'authorizer' and configured - with the request resource. Documentation on CEL: - https://kubernetes.io/docs/reference/using-api/cel/ - \n Required." + description: |- + Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. + CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: + + + 'object' - The object from the incoming request. The value is null for DELETE requests. + 'oldObject' - The existing object. The value is null for CREATE requests. + 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. + See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the + request resource. + Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ + + + Required. type: string name: - description: "Name is an identifier for this match - condition, used for strategic merging of MatchConditions, - as well as providing an identifier for logging purposes. - A good name should be descriptive of the associated - expression. Name must be a qualified name consisting - of alphanumeric characters, '-', '_' or '.', and - must start and end with an alphanumeric character - (e.g. 'MyName', or 'my.name', or '123-abc', regex - used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') - with an optional DNS subdomain prefix and '/' (e.g. - 'example.com/MyName') \n Required." + description: |- + Name is an identifier for this match condition, used for strategic merging of MatchConditions, + as well as providing an identifier for logging purposes. A good name should be descriptive of + the associated expression. + Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and + must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or + '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an + optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') + + + Required. type: string required: - expression @@ -13491,15 +12196,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data sources - to a rule Context. Either a ConfigMap reference or a - APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the Kubernetes - API server, or other JSON web service. The data - returned is stored in the context with the name - for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data sent @@ -13521,13 +12225,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON Match - Expression that can be used to transform the - JSON response returned from the server. For - example a JMESPath of "items | length(@)" applied - to the API server response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across - all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -13542,23 +12245,24 @@ spec: web service properties: caBundle: - description: CABundle is a PEM encoded CA - bundle which will be used to validate the - server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web service URL. - A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to be used - in the HTTP GET or POST request to the Kubernetes - API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used - by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -13575,8 +12279,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests to an - OCI/Docker V2 registry to fetch image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials provides @@ -13588,10 +12293,9 @@ spec: insecure access to a registry. type: boolean providers: - description: 'Providers specifies a list of - OCI Registry names, whose authentication - providers are provided. It can be of one - of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers @@ -13605,23 +12309,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets - that are provided for credentials. Secrets - must live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON Match - Expression that can be used to transform the - ImageData struct returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference to - a container image in the registry. Example: - ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -13634,14 +12338,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take if the - JMESPath expression evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform the - variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON object @@ -13651,11 +12355,10 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when this policy rule - should not be applied. The exclude criteria can include - resource information (e.g. kind, name, namespace, labels) - and admission review request information like the name - or role. + description: |- + ExcludeResources defines when this policy rule should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. properties: all: description: All allows specifying resources which will @@ -13677,10 +12380,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -13689,60 +12391,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -13755,20 +12446,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -13789,44 +12477,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -13839,12 +12518,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -13859,36 +12536,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -13918,10 +12587,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -13930,60 +12598,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -13996,20 +12653,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -14030,44 +12684,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -14080,12 +12725,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -14100,36 +12743,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -14146,21 +12781,19 @@ spec: type: string type: array resources: - description: ResourceDescription contains information - about the resource being created or modified. Requires - at least one tag to be specified when under MatchResources. - Specifying ResourceDescription directly under match - is being deprecated. Please specify under "any" or - "all" instead. + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" - (matches zero or many characters) and "?" (matches - at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -14168,57 +12801,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated in - favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key and - value but does not match an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -14231,20 +12856,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -14264,42 +12886,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) - and `?` (matches one character). Wildcards allows - writing label selectors like ["storage.k8s.io/*": - "*"]. Note that using ["*" : "*"] matches any - key and value but does not match an empty label - set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -14312,12 +12927,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -14332,32 +12945,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or - a value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the - referenced subject. Defaults to "" for ServiceAccount - subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the - Authorizer should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -14373,11 +12982,10 @@ spec: description: APIVersion specifies resource apiVersion. type: string clone: - description: Clone specifies the source resource used - to populate each generated resource. At most one of - Data or Clone can be specified. If neither are provided, - the generated resource will be created with default - data only. + description: |- + Clone specifies the source resource used to populate each generated resource. + At most one of Data or Clone can be specified. If neither are provided, the generated + resource will be created with default data only. properties: name: description: Name specifies name of the resource. @@ -14401,37 +13009,33 @@ spec: namespace. type: string selector: - description: Selector is a label selector. Label - keys and values in `matchLabels`. wildcard characters - are not supported. + description: |- + Selector is a label selector. Label keys and values in `matchLabels`. + wildcard characters are not supported. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -14444,22 +13048,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object data: - description: Data provides the resource declaration - used to populate each generated resource. At most - one of Data or Clone must be specified. If neither - are provided, the generated resource will be created - with default data only. + description: |- + Data provides the resource declaration used to populate each generated resource. + At most one of Data or Clone must be specified. If neither are provided, the generated + resource will be created with default data only. x-kubernetes-preserve-unknown-fields: true kind: description: Kind specifies resource kind. @@ -14471,11 +13072,10 @@ spec: description: Namespace specifies resource namespace. type: string synchronize: - description: Synchronize controls if generated resources - should be kept in-sync with their source resource. - If Synchronize is set to "true" changes to generated - resources will be overwritten with resource data from - Data or the resource specified in the Clone declaration. + description: |- + Synchronize controls if generated resources should be kept in-sync with their source resource. + If Synchronize is set to "true" changes to generated resources will be overwritten with resource + data from Data or the resource specified in the Clone declaration. Optional. Defaults to "false" if not specified. type: boolean uid: @@ -14487,50 +13087,46 @@ spec: items: properties: jmesPath: - description: 'JMESPath is an optional JMESPath expression - to apply to the image value. This is useful when - the extracted image begins with a prefix like - ''docker://''. The ''trim_prefix'' function may - be used to trim the prefix: trim_prefix(@, ''docker://''). - Note - Image digest mutation may not be used when - applying a JMESPAth to an image.' + description: |- + JMESPath is an optional JMESPath expression to apply to the image value. + This is useful when the extracted image begins with a prefix like 'docker://'. + The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://'). + Note - Image digest mutation may not be used when applying a JMESPAth to an image. type: string key: - description: Key is an optional name of the field - within 'path' that will be used to uniquely identify - an image. Note - this field MUST be unique. + description: |- + Key is an optional name of the field within 'path' that will be used to uniquely identify an image. + Note - this field MUST be unique. type: string name: - description: Name is the entry the image will be - available under 'images.' in the context. - If this field is not defined, image entries will - appear under 'images.custom'. + description: |- + Name is the entry the image will be available under 'images.' in the context. + If this field is not defined, image entries will appear under 'images.custom'. type: string path: - description: Path is the path to the object containing - the image field in a custom resource. It should - be slash-separated. Each slash-separated key must - be a valid YAML key or a wildcard '*'. Wildcard - keys are expanded in case of arrays or objects. + description: |- + Path is the path to the object containing the image field in a custom resource. + It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'. + Wildcard keys are expanded in case of arrays or objects. type: string value: - description: Value is an optional name of the field - within 'path' that points to the image URI. This - is useful when a custom 'key' is also defined. + description: |- + Value is an optional name of the field within 'path' that points to the image URI. + This is useful when a custom 'key' is also defined. type: string required: - path type: object type: array - description: ImageExtractors defines a mapping from kinds - to ImageExtractorConfigs. This config is only valid for - verifyImages rules. + description: |- + ImageExtractors defines a mapping from kinds to ImageExtractorConfigs. + This config is only valid for verifyImages rules. type: object match: - description: MatchResources defines when this policy rule - should be applied. The match criteria can include resource - information (e.g. kind, name, namespace, labels) and admission - review request information like the user name or role. + description: |- + MatchResources defines when this policy rule should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. At least one kind is required. properties: all: @@ -14553,10 +13149,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -14565,60 +13160,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -14631,20 +13215,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -14665,44 +13246,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -14715,12 +13287,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -14735,36 +13305,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -14794,10 +13356,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -14806,60 +13367,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -14872,20 +13422,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -14906,44 +13453,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -14956,12 +13494,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -14976,36 +13512,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -15022,21 +13550,19 @@ spec: type: string type: array resources: - description: ResourceDescription contains information - about the resource being created or modified. Requires - at least one tag to be specified when under MatchResources. - Specifying ResourceDescription directly under match - is being deprecated. Please specify under "any" or - "all" instead. + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" - (matches zero or many characters) and "?" (matches - at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -15044,57 +13570,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated in - favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key and - value but does not match an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -15107,20 +13625,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -15140,42 +13655,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) - and `?` (matches one character). Wildcards allows - writing label selectors like ["storage.k8s.io/*": - "*"]. Note that using ["*" : "*"] matches any - key and value but does not match an empty label - set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -15188,12 +13696,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -15208,32 +13714,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or - a value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the - referenced subject. Defaults to "" for ServiceAccount - subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the - Authorizer should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -15260,16 +13762,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST @@ -15292,15 +13792,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -15315,25 +13812,23 @@ spec: to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web - service URL. A typical form is + description: |- + URL is the JSON web service URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string @@ -15353,9 +13848,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials @@ -15367,11 +13862,9 @@ spec: allows insecure access to a registry. type: boolean providers: - description: 'Providers specifies - a list of OCI Registry names, - whose authentication providers - are provided. It can be of one - of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -15385,25 +13878,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a - list of secrets that are provided - for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -15417,15 +13908,14 @@ spec: defined inline. properties: default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary @@ -15440,43 +13930,41 @@ spec: iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which - the validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string order: - description: Order defines the iteration order - on the list. Can be Ascending to iterate from - first to last element or Descending to iterate - in from last to first element. + description: |- + Order defines the iteration order on the list. + Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element. enum: - Ascending - Descending type: string patchStrategicMerge: - description: PatchStrategicMerge is a strategic - merge patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC - 6902 JSON Patch declarations used to modify - resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -15491,14 +13979,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -15518,20 +14003,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -15546,14 +14029,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -15573,10 +14053,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -15585,14 +14064,15 @@ spec: type: object type: array patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge - patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON - Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string targets: description: Targets defines the target resources to @@ -15608,16 +14088,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST @@ -15640,15 +14118,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -15663,25 +14138,23 @@ spec: to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web - service URL. A typical form is + description: |- + URL is the JSON web service URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string @@ -15701,9 +14174,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials @@ -15715,11 +14188,9 @@ spec: allows insecure access to a registry. type: boolean providers: - description: 'Providers specifies - a list of OCI Registry names, - whose authentication providers - are provided. It can be of one - of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -15733,25 +14204,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a - list of secrets that are provided - for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -15765,15 +14234,14 @@ spec: defined inline. properties: default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary @@ -15793,14 +14261,12 @@ spec: description: Namespace specifies resource namespace. type: string preconditions: - description: 'Preconditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. A direct list - of conditions (without `any` or `all` statements - is supported for backwards compatibility but + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/preconditions/' + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true uid: description: UID specifies the resource uid. @@ -15814,27 +14280,32 @@ spec: maxLength: 63 type: string preconditions: - description: 'Preconditions are used to determine if a policy - rule should be applied by evaluating a set of conditions. - The declaration can contain nested `any` or `all` statements. - A direct list of conditions (without `any` or `all` statements - is supported for backwards compatibility but will be deprecated - in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true skipBackgroundRequests: default: true - description: SkipBackgroundRequests bypasses admission requests - that are sent by the background controller. The default - value is set to "true", it must be set to "false" to apply + description: |- + SkipBackgroundRequests bypasses admission requests that are sent by the background controller. + The default value is set to "true", it must be set to "false" to apply generate and mutateExisting rules to those requests. type: boolean validate: description: Validation is used to validate matching resources. properties: + allowExistingViolations: + default: true + description: AllowExistingViolations allows prexisting + violating resources to continue violating a policy. + type: boolean anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must be satisfied - for the validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true cel: description: CEL allows validation checks using the @@ -15849,41 +14320,45 @@ spec: produce an audit annotation for an API request. properties: key: - description: "key specifies the audit annotation - key. The audit annotation keys of a ValidatingAdmissionPolicy - must be unique. The key must be a qualified - name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more - than 63 bytes in length. \n The key is combined - with the resource name of the ValidatingAdmissionPolicy - to construct an audit annotation key: \"{ValidatingAdmissionPolicy - name}/{key}\". \n If an admission webhook - uses the same resource name as this ValidatingAdmissionPolicy - and the same audit annotation key, the annotation - key will be identical. In this case, the - first annotation written with the key will - be included in the audit event and all subsequent - annotations with the same key will be discarded. - \n Required." + description: |- + key specifies the audit annotation key. The audit annotation keys of + a ValidatingAdmissionPolicy must be unique. The key must be a qualified + name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length. + + + The key is combined with the resource name of the + ValidatingAdmissionPolicy to construct an audit annotation key: + "{ValidatingAdmissionPolicy name}/{key}". + + + If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy + and the same audit annotation key, the annotation key will be identical. + In this case, the first annotation written with the key will be included + in the audit event and all subsequent annotations with the same key + will be discarded. + + + Required. type: string valueExpression: - description: "valueExpression represents the - expression which is evaluated by CEL to - produce an audit annotation value. The expression - must evaluate to either a string or null - value. If the expression evaluates to a - string, the audit annotation is included - with the string value. If the expression - evaluates to null or empty string the audit - annotation will be omitted. The valueExpression - may be no longer than 5kb in length. If - the result of the valueExpression is more - than 10kb in length, it will be truncated - to 10kb. \n If multiple ValidatingAdmissionPolicyBinding - resources match an API request, then the - valueExpression will be evaluated for each - binding. All unique values produced by the - valueExpressions will be joined together - in a comma-separated list. \n Required." + description: |- + valueExpression represents the expression which is evaluated by CEL to + produce an audit annotation value. The expression must evaluate to either + a string or null value. If the expression evaluates to a string, the + audit annotation is included with the string value. If the expression + evaluates to null or empty string the audit annotation will be omitted. + The valueExpression may be no longer than 5kb in length. + If the result of the valueExpression is more than 10kb in length, it + will be truncated to 10kb. + + + If multiple ValidatingAdmissionPolicyBinding resources match an + API request, then the valueExpression will be evaluated for + each binding. All unique values produced by the valueExpressions + will be joined together in a comma-separated list. + + + Required. type: string required: - key @@ -15899,124 +14374,104 @@ spec: properties: expression: description: "Expression represents the expression - which will be evaluated by CEL. ref: https://github.com/google/cel-spec - CEL expressions have access to the contents + which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL + expressions have access to the contents of the API request/response, organized into CEL variables as well as some other useful - variables: \n - 'object' - The object from - the incoming request. The value is null - for DELETE requests. - 'oldObject' - The - existing object. The value is null for CREATE - requests. - 'request' - Attributes of the - API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - - 'params' - Parameter resource referred - to by the policy binding being evaluated. - Only populated if the policy has a ParamKind. - - 'namespaceObject' - The namespace object + variables:\n\n\n- 'object' - The object + from the incoming request. The value is + null for DELETE requests.\n- 'oldObject' + - The existing object. The value is null + for CREATE requests.\n- 'request' - Attributes + of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- + 'params' - Parameter resource referred to + by the policy binding being evaluated. Only + populated if the policy has a ParamKind.\n- + 'namespaceObject' - The namespace object that the incoming object belongs to. The - value is null for cluster-scoped resources. - - 'variables' - Map of composited variables, - from its name to its lazily evaluated value. - For example, a variable named 'foo' can - be accessed as 'variables.foo'. - 'authorizer' + value is null for cluster-scoped resources.\n- + 'variables' - Map of composited variables, + from its name to its lazily evaluated value.\n + \ For example, a variable named 'foo' can + be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user - or service account) of the request. See - https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - - 'authorizer.requestResource' - A CEL ResourceCheck + or service account) of the request.\n See + https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured - with the request resource. \n The `apiVersion`, + with the\n request resource.\n\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` - are always accessible from the root of the - object. No other metadata properties are - accessible. \n Only property names of the - form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are - accessible. Accessible property names are - escaped according to the following rules - when accessed in the expression: - '__' - escapes to '__underscores__' - '.' escapes - to '__dot__' - '-' escapes to '__dash__' - - '/' escapes to '__slash__' - Property - names that exactly match a CEL RESERVED - keyword escape to '__{keyword}__'. The keywords - are: \"true\", \"false\", \"null\", \"in\", - \"as\", \"break\", \"const\", \"continue\", - \"else\", \"for\", \"function\", \"if\", - \"import\", \"let\", \"loop\", \"package\", - \"namespace\", \"return\". Examples: - Expression - accessing a property named \"namespace\": - {\"Expression\": \"object.__namespace__ - > 0\"} - Expression accessing a property + are always accessible from the root of the\nobject. + No other metadata properties are accessible.\n\n\nOnly + property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` + are accessible.\nAccessible property names + are escaped according to the following rules + when accessed in the expression:\n- '__' + escapes to '__underscores__'\n- '.' escapes + to '__dot__'\n- '-' escapes to '__dash__'\n- + '/' escapes to '__slash__'\n- Property names + that exactly match a CEL RESERVED keyword + escape to '__{keyword}__'. The keywords + are:\n\t \"true\", \"false\", \"null\", + \"in\", \"as\", \"break\", \"const\", \"continue\", + \"else\", \"for\", \"function\", \"if\",\n\t + \ \"import\", \"let\", \"loop\", \"package\", + \"namespace\", \"return\".\nExamples:\n + \ - Expression accessing a property named + \"namespace\": {\"Expression\": \"object.__namespace__ + > 0\"}\n - Expression accessing a property named \"x-prop\": {\"Expression\": \"object.x__dash__prop - > 0\"} - Expression accessing a property + > 0\"}\n - Expression accessing a property named \"redact__d\": {\"Expression\": \"object.redact__underscores__d - > 0\"} \n Equality on arrays with list type - of 'set' or 'map' ignores element order, - i.e. [1, 2] == [2, 1]. Concatenation on + > 0\"}\n\n\nEquality on arrays with list + type of 'set' or 'map' ignores element order, + i.e. [1, 2] == [2, 1].\nConcatenation on arrays with x-kubernetes-list-type use the - semantics of the list type: - 'set': `X - + Y` performs a union where the array positions - of all elements in `X` are preserved and - non-intersecting elements in `Y` are appended, - retaining their partial order. - 'map': - `X + Y` performs a merge where the array - positions of all keys in `X` are preserved - but the values are overwritten by values - in `Y` when the key sets of `X` and `Y` - intersect. Elements in `Y` with non-intersecting - keys are appended, retaining their partial - order. Required." + semantics of the list type:\n - 'set': + `X + Y` performs a union where the array + positions of all elements in `X` are preserved + and\n non-intersecting elements in `Y` + are appended, retaining their partial order.\n + \ - 'map': `X + Y` performs a merge where + the array positions of all keys in `X` are + preserved but the values\n are overwritten + by values in `Y` when the key sets of `X` + and `Y` intersect. Elements in `Y` with\n + \ non-intersecting keys are appended, + retaining their partial order.\nRequired." type: string message: - description: 'Message represents the message - displayed when validation fails. The message - is required if the Expression contains line - breaks. The message must not contain line - breaks. If unset, the message is "failed - rule: {Rule}". e.g. "must be a URL with - the host matching spec.host" If the Expression - contains line breaks. Message is required. + description: |- + Message represents the message displayed when validation fails. The message is required if the Expression contains + line breaks. The message must not contain line breaks. + If unset, the message is "failed rule: {Rule}". + e.g. "must be a URL with the host matching spec.host" + If the Expression contains line breaks. Message is required. The message must not contain line breaks. - If unset, the message is "failed Expression: - {Expression}".' + If unset, the message is "failed Expression: {Expression}". type: string messageExpression: - description: 'messageExpression declares a - CEL expression that evaluates to the validation - failure message that is returned when this - rule fails. Since messageExpression is used - as a failure message, it must evaluate to - a string. If both message and messageExpression - are present on a validation, then messageExpression - will be used if validation fails. If messageExpression - results in a runtime error, the runtime - error is logged, and the validation failure - message is produced as if the messageExpression - field were unset. If messageExpression evaluates - to an empty string, a string with only spaces, - or a string that contains line breaks, then - the validation failure message will also - be produced as if the messageExpression - field were unset, and the fact that messageExpression - produced an empty string/string with only - spaces/string with line breaks will be logged. - messageExpression has access to all the - same variables as the `expression` except - for ''authorizer'' and ''authorizer.requestResource''. - Example: "object.x must be less than max - ("+string(params.max)+")"' + description: |- + messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. + Since messageExpression is used as a failure message, it must evaluate to a string. + If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. + If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced + as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string + that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and + the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. + messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'. + Example: + "object.x must be less than max ("+string(params.max)+")" type: string reason: - description: 'Reason represents a machine-readable - description of why this validation failed. - If this is the first validation in the list - to fail, this reason, as well as the corresponding - HTTP response code, are used in the HTTP - response to the client. The currently supported - reasons are: "Unauthorized", "Forbidden", - "Invalid", "RequestEntityTooLarge". If not - set, StatusReasonInvalid is used in the - response to the client.' + description: |- + Reason represents a machine-readable description of why this validation failed. + If this is the first validation in the list to fail, this reason, as well as the + corresponding HTTP response code, are used in the + HTTP response to the client. + The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge". + If not set, StatusReasonInvalid is used in the response to the client. type: string required: - expression @@ -16027,13 +14482,15 @@ spec: and Version. properties: apiVersion: - description: APIVersion is the API group version - the resources belong to. In format of "group/version". + description: |- + APIVersion is the API group version the resources belong to. + In format of "group/version". Required. type: string kind: - description: Kind is the API kind the resources - belong to. Required. + description: |- + Kind is the API kind the resources belong to. + Required. type: string type: object x-kubernetes-map-type: atomic @@ -16041,82 +14498,83 @@ spec: description: ParamRef references a parameter resource. properties: name: - description: "`name` is the name of the resource - being referenced. \n `name` and `selector` - are mutually exclusive properties. If one - is set, the other must be unset." + description: |- + `name` is the name of the resource being referenced. + + + `name` and `selector` are mutually exclusive properties. If one is set, + the other must be unset. type: string namespace: - description: "namespace is the namespace of - the referenced resource. Allows limiting the - search for params to a specific namespace. - Applies to both `name` and `selector` fields. - \n A per-namespace parameter may be used by - specifying a namespace-scoped `paramKind` - in the policy and leaving this field empty. - \n - If `paramKind` is cluster-scoped, this - field MUST be unset. Setting this field results - in a configuration error. \n - If `paramKind` - is namespace-scoped, the namespace of the - object being evaluated for admission will - be used when this field is left unset. Take - care that if this is left empty the binding - must not match any cluster-scoped resources, - which will result in an error." + description: |- + namespace is the namespace of the referenced resource. Allows limiting + the search for params to a specific namespace. Applies to both `name` and + `selector` fields. + + + A per-namespace parameter may be used by specifying a namespace-scoped + `paramKind` in the policy and leaving this field empty. + + + - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this + field results in a configuration error. + + + - If `paramKind` is namespace-scoped, the namespace of the object being + evaluated for admission will be used when this field is left unset. Take + care that if this is left empty the binding must not match any cluster-scoped + resources, which will result in an error. type: string parameterNotFoundAction: - description: "`parameterNotFoundAction` controls - the behavior of the binding when the resource - exists, and name or selector is valid, but - there are no parameters matched by the binding. - If the value is set to `Allow`, then no matched - parameters will be treated as successful validation - by the binding. If set to `Deny`, then no - matched parameters will be subject to the - `failurePolicy` of the policy. \n Allowed - values are `Allow` or `Deny` Default to `Deny`" + description: |- + `parameterNotFoundAction` controls the behavior of the binding when the resource + exists, and name or selector is valid, but there are no parameters + matched by the binding. If the value is set to `Allow`, then no + matched parameters will be treated as successful validation by the binding. + If set to `Deny`, then no matched parameters will be subject to the + `failurePolicy` of the policy. + + + Allowed values are `Allow` or `Deny` + Default to `Deny` type: string selector: - description: "selector can be used to match - multiple param objects based on their labels. - Supply selector: {} to match all resources - of the ParamKind. \n If multiple params are - found, they are all evaluated with the policy - expressions and the results are ANDed together. - \n One of `name` or `selector` must be set, - but `name` and `selector` are mutually exclusive - properties. If one is set, the other must - be unset." + description: |- + selector can be used to match multiple param objects based on their labels. + Supply selector: {} to match all resources of the ParamKind. + + + If multiple params are found, they are all evaluated with the policy expressions + and the results are ANDed together. + + + One of `name` or `selector` must be set, but `name` and `selector` are + mutually exclusive properties. If one is set, the other must be unset. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -16128,41 +14586,34 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object x-kubernetes-map-type: atomic variables: - description: Variables contain definitions of variables - that can be used in composition of other expressions. + description: |- + Variables contain definitions of variables that can be used in composition of other expressions. Each variable is defined as a named CEL expression. - The variables defined here will be available under - `variables` in other expressions of the policy. + The variables defined here will be available under `variables` in other expressions of the policy. items: description: Variable is the definition of a variable that is used for composition. properties: expression: - description: Expression is the expression - that will be evaluated as the value of the - variable. The CEL expression has access - to the same identifiers as the CEL expressions - in Validation. + description: |- + Expression is the expression that will be evaluated as the value of the variable. + The CEL expression has access to the same identifiers as the CEL expressions in Validation. type: string name: - description: Name is the name of the variable. - The name must be a valid CEL identifier - and unique among all variables. The variable - can be accessed in other expressions through - `variables` For example, if name is "foo", - the variable will be available as `variables.foo` + description: |- + Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables. + The variable can be accessed in other expressions through `variables` + For example, if name is "foo", the variable will be available as `variables.foo` type: string required: - expression @@ -16175,12 +14626,11 @@ spec: fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct list - of conditions (without `any` or `all` statements) - is also supported for backwards compatibility + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object foreach: @@ -16195,24 +14645,22 @@ spec: apply the specified logic. properties: anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must - be satisfied for the validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true context: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST @@ -16235,15 +14683,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -16258,25 +14703,23 @@ spec: to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web - service URL. A typical form is + description: |- + URL is the JSON web service URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string @@ -16296,9 +14739,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials @@ -16310,11 +14753,9 @@ spec: allows insecure access to a registry. type: boolean providers: - description: 'Providers specifies - a list of OCI Registry names, - whose authentication providers - are provided. It can be of one - of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -16328,25 +14769,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a - list of secrets that are provided - for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -16360,15 +14799,14 @@ spec: defined inline. properties: default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary @@ -16383,48 +14821,44 @@ spec: or fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct - list of conditions (without `any` or `all` - statements) is also supported for backwards - compatibility but will be deprecated in - the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object elementScope: - description: ElementScope specifies whether to - use the current list element as the scope for - validation. Defaults to "true" if not specified. - When set to "false", "request.object" is used - as the validation scope within the foreach block - to allow referencing other elements in the subtree. + description: |- + ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified. + When set to "false", "request.object" is used as the validation scope within the foreach + block to allow referencing other elements in the subtree. type: boolean foreach: description: Foreach declares a nested foreach iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which - the validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string pattern: description: Pattern specifies an overlay-style pattern used to check resources. x-kubernetes-preserve-unknown-fields: true preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -16439,14 +14873,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -16466,20 +14897,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -16494,14 +14923,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -16521,10 +14947,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -16547,31 +14972,25 @@ spec: items: properties: count: - description: Count specifies the required - number of entries that must match. If the - count is null, all entries must match (a - logical AND). If the count is 1, at least - one entry must match (a logical OR). If - the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or - a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set @@ -16592,21 +15011,14 @@ spec: used to verify. type: string ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -16614,36 +15026,25 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -16654,9 +15055,9 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless - attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: additionalProperties: @@ -16666,21 +15067,14 @@ spec: for keyless signing. type: object ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -16688,15 +15082,10 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -16704,24 +15093,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -16731,10 +15114,9 @@ spec: type: string type: object roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, - the system roots are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -16747,21 +15129,14 @@ spec: public keys. properties: ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -16769,63 +15144,41 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI - to the public key stored in a - Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable - reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -16861,12 +15214,9 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository - will override other OCI image repository - locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -16907,10 +15257,9 @@ spec: type: object type: array repository: - description: Repository is an optional alternate - OCI repository to use for resource bundle reference. - The repository can be overridden per Attestor - or Attestation. + description: |- + Repository is an optional alternate OCI repository to use for resource bundle reference. + The repository can be overridden per Attestor or Attestation. type: string type: object message: @@ -16922,9 +15271,9 @@ spec: used to check resources. x-kubernetes-preserve-unknown-fields: true podSecurity: - description: PodSecurity applies exemptions for Kubernetes - Pod Security admission by specifying exclusions for - Pod Security Standards controls. + description: |- + PodSecurity applies exemptions for Kubernetes Pod Security admission + by specifying exclusions for Pod Security Standards controls. properties: exclude: description: Exclude specifies the Pod Security @@ -16934,9 +15283,9 @@ spec: Pod Security Standard controls to be excluded. properties: controlName: - description: 'ControlName specifies the name - of the Pod Security Standard control. See: - https://kubernetes.io/docs/concepts/security/pod-security-standards/' + description: |- + ControlName specifies the name of the Pod Security Standard control. + See: https://kubernetes.io/docs/concepts/security/pod-security-standards/ enum: - HostProcess - Host Namespaces @@ -16955,14 +15304,11 @@ spec: - Running as Non-root user type: string images: - description: 'Images selects matching containers - and applies the container level PSS. Each - image is the image name consisting of the - registry address, repository, image, and - tag. Empty list matches no containers, PSS - checks are applied at the pod level only. - Wildcards (''*'' and ''?'') are allowed. - See: https://kubernetes.io/docs/concepts/containers/images.' + description: |- + Images selects matching containers and applies the container level PSS. + Each image is the image name consisting of the registry address, repository, image, and tag. + Empty list matches no containers, PSS checks are applied at the pod level only. + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -16971,19 +15317,18 @@ spec: type: object type: array level: - description: Level defines the Pod Security Standard - level to be applied to workloads. Allowed values - are privileged, baseline, and restricted. + description: |- + Level defines the Pod Security Standard level to be applied to workloads. + Allowed values are privileged, baseline, and restricted. enum: - privileged - baseline - restricted type: string version: - description: Version defines the Pod Security Standard - versions that Kubernetes supports. Allowed values - are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, - v1.25, v1.26, latest. Defaults to latest. + description: |- + Version defines the Pod Security Standard versions that Kubernetes supports. + Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, latest. Defaults to latest. enum: - v1.19 - v1.20 @@ -17001,10 +15346,10 @@ spec: description: VerifyImages is used to verify image signatures and mutate them to add a digest items: - description: ImageVerification validates that images that - match the specified pattern are signed with the supplied - public key. Once the image is verified it is mutated - to include the SHA digest retrieved during the registration. + description: |- + ImageVerification validates that images that match the specified pattern + are signed with the supplied public key. Once the image is verified it is + mutated to include the SHA digest retrieved during the registration. properties: additionalExtensions: additionalProperties: @@ -17018,17 +15363,15 @@ spec: instead. type: object attestations: - description: Attestations are optional checks for - signed in-toto Statements used to verify the image. - See https://github.com/in-toto/attestation. Kyverno - fetches signed attestations from the OCI registry - and decodes them into a list of Statement declarations. + description: |- + Attestations are optional checks for signed in-toto Statements used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statement declarations. items: - description: Attestation are checks for signed in-toto - Statements that are used to verify the image. - See https://github.com/in-toto/attestation. Kyverno - fetches signed attestations from the OCI registry - and decodes them into a list of Statements. + description: |- + Attestation are checks for signed in-toto Statements that are used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statements. properties: attestors: description: Attestors specify the required @@ -17036,33 +15379,25 @@ spec: items: properties: count: - description: Count specifies the required - number of entries that must match. If - the count is null, all entries must - match (a logical AND). If the count - is 1, at least one entry must match - (a logical OR). If the count contains - a value N, then N must be less than - or equal to the size of entries, and - at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static - key, attributes for keyless verification, - or a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used - for image verification. Every - specified key-value pair must - exist and match in the verified - payload. The payload may contain - other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested @@ -17083,23 +15418,14 @@ spec: certificates used to verify. type: string ctlog: - description: CTLog (certificate - timestamp log) provides a - configuration for validation - of Signed Certificate Timestamps - (SCTs). If the value is unset, - the default behavior by Cosign - is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp - (SCT) log to check for - a certificate timestamp. - Default is false. Set - to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if @@ -17108,27 +15434,16 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, - if set, is the PEM-encoded - certificate chain file - for the RFC3161 timestamp - authority. Must contain - the root CA certificate. - Optionally may contain - intermediate CA certificates, - and may contain the leaf - TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If an empty object is provided - the public instance of Rekor - (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog @@ -17136,13 +15451,9 @@ spec: verification. type: boolean pubkey: - description: RekorPubKey - is an optional PEM-encoded - public key to use for - a custom Rekor. If set, - this will be used to validate - transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the @@ -17153,9 +15464,9 @@ spec: type: object type: object keyless: - description: Keyless is a set of - attribute used to verify a Sigstore - keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: additionalProperties: @@ -17165,23 +15476,14 @@ spec: used for keyless signing. type: object ctlog: - description: CTLog (certificate - timestamp log) provides a - configuration for validation - of Signed Certificate Timestamps - (SCTs). If the value is unset, - the default behavior by Cosign - is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp - (SCT) log to check for - a certificate timestamp. - Default is false. Set - to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if @@ -17190,17 +15492,10 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, - if set, is the PEM-encoded - certificate chain file - for the RFC3161 timestamp - authority. Must contain - the root CA certificate. - Optionally may contain - intermediate CA certificates, - and may contain the leaf - TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -17208,13 +15503,9 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If an empty object is provided - the public instance of Rekor - (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog @@ -17222,13 +15513,9 @@ spec: verification. type: boolean pubkey: - description: RekorPubKey - is an optional PEM-encoded - public key to use for - a custom Rekor. If set, - this will be used to validate - transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the @@ -17238,11 +15525,9 @@ spec: type: string type: object roots: - description: Roots is an optional - set of PEM encoded trusted - root certificates. If not - provided, the system roots - are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the @@ -17256,23 +15541,14 @@ spec: or more public keys. properties: ctlog: - description: CTLog (certificate - timestamp log) provides a - configuration for validation - of Signed Certificate Timestamps - (SCTs). If the value is unset, - the default behavior by Cosign - is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp - (SCT) log to check for - a certificate timestamp. - Default is false. Set - to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if @@ -17281,56 +15557,32 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, - if set, is the PEM-encoded - certificate chain file - for the RFC3161 timestamp - authority. Must contain - the root CA certificate. - Optionally may contain - intermediate CA certificates, - and may contain the leaf - TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the - URI to the public key stored - in a Key Management System. - See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of - X.509 public keys used to - verify image signatures. The - keys can be directly specified - or can be a variable reference - to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a - separate staticKey entry (.attestors[*].entries.keys) - within the set of attestors - and the count is applied across - the keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If an empty object is provided - the public instance of Rekor - (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog @@ -17338,13 +15590,9 @@ spec: verification. type: boolean pubkey: - description: RekorPubKey - is an optional PEM-encoded - public key to use for - a custom Rekor. If set, - this will be used to validate - transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the @@ -17381,40 +15629,30 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use - for signatures and attestations - that match this rule. If specified - Repository will override other - OCI image repository locations - for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array type: object type: array conditions: - description: Conditions are used to verify attributes - within a Predicate. If no Conditions are specified - the attestation check is satisfied as long - there are predicates that match the predicate - type. + description: |- + Conditions are used to verify attributes within a Predicate. If no Conditions are specified + the attestation check is satisfied as long there are predicates that match the predicate type. items: - description: AnyAllConditions consists of - conditions wrapped denoting a logical criteria - to be fulfilled. AnyConditions get fulfilled - when at least one of its sub-conditions - passes. AllConditions get fulfilled only - when all of its sub-conditions pass. + description: |- + AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled. + AnyConditions get fulfilled when at least one of its sub-conditions passes. + AllConditions get fulfilled only when all of its sub-conditions pass. properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is - useful for finer control of when an - rule is applied. A condition can reference - object data using JMESPath notation. - Here, all of the conditions need to - pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -17429,14 +15667,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -17456,21 +15691,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is - useful for finer control of when an - rule is applied. A condition can reference - object data using JMESPath notation. - Here, at least one of the conditions - need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -17485,14 +15717,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -17512,10 +15741,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -17537,31 +15765,25 @@ spec: items: properties: count: - description: Count specifies the required number - of entries that must match. If the count is - null, all entries must match (a logical AND). - If the count is 1, at least one entry must - match (a logical OR). If the count contains - a value N, then N must be less than or equal - to the size of entries, and at least N entries - must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or a - nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set @@ -17582,21 +15804,14 @@ spec: used to verify. type: string ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior by - Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed Certificate - Timestamp (SCT) log to check - for a certificate timestamp. - Default is false. Set to true - if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -17604,35 +15819,25 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the - root CA certificate. Optionally - may contain intermediate CA - certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an - optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used to - validate transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -17643,8 +15848,8 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: @@ -17655,21 +15860,14 @@ spec: for keyless signing. type: object ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior by - Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed Certificate - Timestamp (SCT) log to check - for a certificate timestamp. - Default is false. Set to true - if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -17677,15 +15875,10 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the - root CA certificate. Optionally - may contain intermediate CA - certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -17693,23 +15886,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an - optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used to - validate transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -17719,10 +15907,9 @@ spec: type: string type: object roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, the - system roots are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -17735,21 +15922,14 @@ spec: public keys. properties: ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior by - Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed Certificate - Timestamp (SCT) log to check - for a certificate timestamp. - Default is false. Set to true - if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -17757,61 +15937,41 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the - root CA certificate. Optionally - may contain intermediate CA - certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI - to the public key stored in a Key - Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable reference - to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format "k8s:///". - The named Secret must specify a - key `cosign.pub` containing the - public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an - optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used to - validate transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -17846,12 +16006,9 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository will - override other OCI image repository - locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -17861,13 +16018,11 @@ spec: description: Deprecated. Use ImageReferences instead. type: string imageReferences: - description: 'ImageReferences is a list of matching - image reference patterns. At least one pattern in - the list must match the image for the rule to apply. - Each image reference consists of a registry address - (defaults to docker.io), repository, image, and - tag (defaults to latest). Wildcards (''*'' and ''?'') - are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' + description: |- + ImageReferences is a list of matching image reference patterns. At least one pattern in the + list must match the image for the rule to apply. Each image reference consists of a registry + address (defaults to docker.io), repository, image, and tag (defaults to latest). + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -17880,10 +16035,9 @@ spec: access to a registry. type: boolean providers: - description: 'Providers specifies a list of OCI - Registry names, whose authentication providers - are provided. It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers @@ -17897,9 +16051,9 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets - that are provided for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array @@ -17912,16 +16066,15 @@ spec: type: string mutateDigest: default: true - description: MutateDigest enables replacement of image - tags with digests. Defaults to true. + description: |- + MutateDigest enables replacement of image tags with digests. + Defaults to true. type: boolean repository: - description: Repository is an optional alternate OCI - repository to use for image signatures and attestations - that match this rule. If specified Repository will - override the default OCI image repository configured - for the installation. The repository can also be - overridden per Attestor or Attestation. + description: |- + Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule. + If specified Repository will override the default OCI image repository configured for the installation. + The repository can also be overridden per Attestor or Attestation. type: string required: default: true @@ -17936,9 +16089,9 @@ spec: description: Deprecated. Use KeylessAttestor instead. type: string type: - description: Type specifies the method of signature - validation. The allowed options are Cosign and Notary. - By default Cosign is used if a type is not specified. + description: |- + Type specifies the method of signature validation. The allowed options + are Cosign and Notary. By default Cosign is used if a type is not specified. enum: - Cosign - Notary @@ -17963,42 +16116,42 @@ spec: conditions: items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -18012,11 +16165,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -18032,8 +16186,9 @@ spec: description: Deprecated in favor of Conditions type: boolean rulecount: - description: RuleCountStatus contains four variables which describes - counts for validate, generate, mutate and verify images rules + description: |- + RuleCountStatus contains four variables which describes counts for + validate, generate, mutate and verify images rules properties: generate: description: Count for generate rules in policy @@ -18061,10 +16216,9 @@ spec: policy is generated from the policy or not type: boolean message: - description: Message is a human readable message indicating details - about the generation of validating admission policy It is an - empty string when validating admission policy is successfully - generated. + description: |- + Message is a human readable message indicating details about the generation of validating admission policy + It is an empty string when validating admission policy is successfully generated. type: string required: - generated diff --git a/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_policies.yaml b/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_policies.yaml index ff6f69fa9327..88054fa5a2a4 100644 --- a/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_policies.yaml +++ b/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_policies.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: policies.kyverno.io spec: group: kyverno.io @@ -60,19 +60,24 @@ spec: name: v1 schema: openAPIV3Schema: - description: 'Policy declares validation, mutation, and generation behaviors - for matching resources. See: https://kyverno.io/docs/writing-policies/ for - more information.' + description: |- + Policy declares validation, mutation, and generation behaviors for matching resources. + See: https://kyverno.io/docs/writing-policies/ for more information. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -81,95 +86,99 @@ spec: properties: admission: default: true - description: Admission controls if rules are applied during admission. + description: |- + Admission controls if rules are applied during admission. Optional. Default value is "true". type: boolean applyRules: - description: ApplyRules controls how rules in a policy are applied. - Rule are processed in the order of declaration. When set to `One` - processing stops after a rule has been applied i.e. the rule matches - and results in a pass, fail, or error. When set to `All` all rules - in the policy are processed. The default is `All`. + description: |- + ApplyRules controls how rules in a policy are applied. Rule are processed in + the order of declaration. When set to `One` processing stops after a rule has + been applied i.e. the rule matches and results in a pass, fail, or error. When + set to `All` all rules in the policy are processed. The default is `All`. enum: - All - One type: string background: default: true - description: Background controls if rules are applied to existing - resources during a background scan. Optional. Default value is "true". - The value must be set to "false" if the policy rule uses variables - that are only available in the admission review request (e.g. user - name). + description: |- + Background controls if rules are applied to existing resources during a background scan. + Optional. Default value is "true". The value must be set to "false" if the policy rule + uses variables that are only available in the admission review request (e.g. user name). type: boolean failurePolicy: - description: FailurePolicy defines how unexpected policy errors and - webhook response timeout errors are handled. Rules within the same - policy share the same failure behavior. This field should not be - accessed directly, instead `GetFailurePolicy()` should be used. + description: |- + FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. + Rules within the same policy share the same failure behavior. + This field should not be accessed directly, instead `GetFailurePolicy()` should be used. Allowed values are Ignore or Fail. Defaults to Fail. enum: - Ignore - Fail type: string generateExisting: - description: GenerateExisting controls whether to trigger generate - rule in existing resources If is set to "true" generate rule will - be triggered and applied to existing matched resources. Defaults - to "false" if not specified. + description: |- + GenerateExisting controls whether to trigger generate rule in existing resources + If is set to "true" generate rule will be triggered and applied to existing matched resources. + Defaults to "false" if not specified. type: boolean generateExistingOnPolicyUpdate: description: Deprecated, use generateExisting instead type: boolean mutateExistingOnPolicyUpdate: - description: MutateExistingOnPolicyUpdate controls if a mutateExisting - policy is applied on policy events. Default value is "false". + description: |- + MutateExistingOnPolicyUpdate controls if a mutateExisting policy is applied on policy events. + Default value is "false". type: boolean rules: - description: Rules is a list of Rule instances. A Policy contains - multiple rules and each rule can validate, mutate, or generate resources. + description: |- + Rules is a list of Rule instances. A Policy contains multiple rules and + each rule can validate, mutate, or generate resources. items: - description: Rule defines a validation, mutation, or generation - control for matching resources. Each rules contains a match declaration - to select resources, and an optional exclude declaration to specify - which resources to exclude. + description: |- + Rule defines a validation, mutation, or generation control for matching resources. + Each rules contains a match declaration to select resources, and an optional exclude + declaration to specify which resources to exclude. properties: celPreconditions: - description: CELPreconditions are used to determine if a policy - rule should be applied by evaluating a set of CEL conditions. - It can only be used with the validate.cel subrule + description: |- + CELPreconditions are used to determine if a policy rule should be applied by evaluating a + set of CEL conditions. It can only be used with the validate.cel subrule items: description: MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook. properties: expression: - description: "Expression represents the expression which - will be evaluated by CEL. Must evaluate to bool. CEL - expressions have access to the contents of the AdmissionRequest - and Authorizer, organized into CEL variables: \n 'object' - - The object from the incoming request. The value is - null for DELETE requests. 'oldObject' - The existing - object. The value is null for CREATE requests. 'request' - - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). - 'authorizer' - A CEL Authorizer. May be used to perform - authorization checks for the principal (user or service - account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - 'authorizer.requestResource' - A CEL ResourceCheck constructed - from the 'authorizer' and configured with the request - resource. Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ - \n Required." + description: |- + Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. + CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: + + + 'object' - The object from the incoming request. The value is null for DELETE requests. + 'oldObject' - The existing object. The value is null for CREATE requests. + 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. + See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the + request resource. + Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ + + + Required. type: string name: - description: "Name is an identifier for this match condition, - used for strategic merging of MatchConditions, as well - as providing an identifier for logging purposes. A good - name should be descriptive of the associated expression. - Name must be a qualified name consisting of alphanumeric - characters, '-', '_' or '.', and must start and end - with an alphanumeric character (e.g. 'MyName', or 'my.name', - \ or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') - with an optional DNS subdomain prefix and '/' (e.g. - 'example.com/MyName') \n Required." + description: |- + Name is an identifier for this match condition, used for strategic merging of MatchConditions, + as well as providing an identifier for logging purposes. A good name should be descriptive of + the associated expression. + Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and + must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or + '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an + optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') + + + Required. type: string required: - expression @@ -180,15 +189,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data sources - to a rule Context. Either a ConfigMap reference or a APILookup - must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the Kubernetes - API server, or other JSON web service. The data returned - is stored in the context with the name for the context - entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data sent to @@ -210,13 +218,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the JSON response - returned from the server. For example a JMESPath - of "items | length(@)" applied to the API server - response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across - all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -231,22 +238,24 @@ spec: service properties: caBundle: - description: CABundle is a PEM encoded CA bundle - which will be used to validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web service URL. - A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to be used in - the HTTP GET or POST request to the Kubernetes API - server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used by the - `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -263,8 +272,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests to an OCI/Docker - V2 registry to fetch image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials provides credentials @@ -275,10 +285,9 @@ spec: access to a registry. type: boolean providers: - description: 'Providers specifies a list of OCI - Registry names, whose authentication providers - are provided. It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers @@ -292,21 +301,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets - that are provided for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the ImageData struct - returned as a result of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference to a container - image in the registry. Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -319,13 +330,14 @@ spec: variable that can be defined inline. properties: default: - description: Default is an optional arbitrary JSON - object that the variable may take if the JMESPath + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath Expression - that can be used to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON object representable @@ -335,10 +347,10 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when this policy rule - should not be applied. The exclude criteria can include resource - information (e.g. kind, name, namespace, labels) and admission - review request information like the name or role. + description: |- + ExcludeResources defines when this policy rule should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. properties: all: description: All allows specifying resources which will @@ -360,11 +372,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -372,58 +383,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -436,20 +438,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -469,42 +468,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -517,12 +509,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -537,32 +527,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -593,11 +578,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -605,58 +589,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -669,20 +644,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -702,42 +674,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -750,12 +715,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -770,32 +733,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -813,20 +771,19 @@ spec: type: string type: array resources: - description: ResourceDescription contains information about - the resource being created or modified. Requires at least - one tag to be specified when under MatchResources. Specifying - ResourceDescription directly under match is being deprecated. + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. Please specify under "any" or "all" instead. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -834,52 +791,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -891,19 +845,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -923,38 +875,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -966,12 +915,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -986,32 +933,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -1027,10 +970,10 @@ spec: description: APIVersion specifies resource apiVersion. type: string clone: - description: Clone specifies the source resource used to - populate each generated resource. At most one of Data - or Clone can be specified. If neither are provided, the - generated resource will be created with default data only. + description: |- + Clone specifies the source resource used to populate each generated resource. + At most one of Data or Clone can be specified. If neither are provided, the generated + resource will be created with default data only. properties: name: description: Name specifies name of the resource. @@ -1052,34 +995,33 @@ spec: description: Namespace specifies source resource namespace. type: string selector: - description: Selector is a label selector. Label keys - and values in `matchLabels`. wildcard characters are - not supported. + description: |- + Selector is a label selector. Label keys and values in `matchLabels`. + wildcard characters are not supported. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1091,21 +1033,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object data: - description: Data provides the resource declaration used - to populate each generated resource. At most one of Data - or Clone must be specified. If neither are provided, the - generated resource will be created with default data only. + description: |- + Data provides the resource declaration used to populate each generated resource. + At most one of Data or Clone must be specified. If neither are provided, the generated + resource will be created with default data only. x-kubernetes-preserve-unknown-fields: true kind: description: Kind specifies resource kind. @@ -1117,12 +1057,11 @@ spec: description: Namespace specifies resource namespace. type: string synchronize: - description: Synchronize controls if generated resources - should be kept in-sync with their source resource. If - Synchronize is set to "true" changes to generated resources - will be overwritten with resource data from Data or the - resource specified in the Clone declaration. Optional. - Defaults to "false" if not specified. + description: |- + Synchronize controls if generated resources should be kept in-sync with their source resource. + If Synchronize is set to "true" changes to generated resources will be overwritten with resource + data from Data or the resource specified in the Clone declaration. + Optional. Defaults to "false" if not specified. type: boolean uid: description: UID specifies the resource uid. @@ -1133,50 +1072,47 @@ spec: items: properties: jmesPath: - description: 'JMESPath is an optional JMESPath expression - to apply to the image value. This is useful when the - extracted image begins with a prefix like ''docker://''. - The ''trim_prefix'' function may be used to trim the - prefix: trim_prefix(@, ''docker://''). Note - Image - digest mutation may not be used when applying a JMESPAth - to an image.' + description: |- + JMESPath is an optional JMESPath expression to apply to the image value. + This is useful when the extracted image begins with a prefix like 'docker://'. + The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://'). + Note - Image digest mutation may not be used when applying a JMESPAth to an image. type: string key: - description: Key is an optional name of the field within - 'path' that will be used to uniquely identify an image. + description: |- + Key is an optional name of the field within 'path' that will be used to uniquely identify an image. Note - this field MUST be unique. type: string name: - description: Name is the entry the image will be available - under 'images.' in the context. If this field - is not defined, image entries will appear under 'images.custom'. + description: |- + Name is the entry the image will be available under 'images.' in the context. + If this field is not defined, image entries will appear under 'images.custom'. type: string path: - description: Path is the path to the object containing - the image field in a custom resource. It should be - slash-separated. Each slash-separated key must be - a valid YAML key or a wildcard '*'. Wildcard keys - are expanded in case of arrays or objects. + description: |- + Path is the path to the object containing the image field in a custom resource. + It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'. + Wildcard keys are expanded in case of arrays or objects. type: string value: - description: Value is an optional name of the field - within 'path' that points to the image URI. This is - useful when a custom 'key' is also defined. + description: |- + Value is an optional name of the field within 'path' that points to the image URI. + This is useful when a custom 'key' is also defined. type: string required: - path type: object type: array - description: ImageExtractors defines a mapping from kinds to - ImageExtractorConfigs. This config is only valid for verifyImages - rules. + description: |- + ImageExtractors defines a mapping from kinds to ImageExtractorConfigs. + This config is only valid for verifyImages rules. type: object match: - description: MatchResources defines when this policy rule should - be applied. The match criteria can include resource information - (e.g. kind, name, namespace, labels) and admission review - request information like the user name or role. At least one - kind is required. + description: |- + MatchResources defines when this policy rule should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. + At least one kind is required. properties: all: description: All allows specifying resources which will @@ -1198,11 +1134,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -1210,58 +1145,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -1274,20 +1200,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -1307,42 +1230,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -1355,12 +1271,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -1375,32 +1289,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -1431,11 +1340,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -1443,58 +1351,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -1507,20 +1406,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -1540,42 +1436,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -1588,12 +1477,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -1608,32 +1495,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -1651,20 +1533,19 @@ spec: type: string type: array resources: - description: ResourceDescription contains information about - the resource being created or modified. Requires at least - one tag to be specified when under MatchResources. Specifying - ResourceDescription directly under match is being deprecated. + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. Please specify under "any" or "all" instead. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -1672,52 +1553,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1729,19 +1607,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -1761,38 +1637,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1804,12 +1677,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -1824,32 +1695,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -1875,15 +1742,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data @@ -1905,14 +1771,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -1927,25 +1791,24 @@ spec: JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate the server certificate. type: string url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -1963,8 +1826,8 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. properties: imageRegistryCredentials: @@ -1977,11 +1840,9 @@ spec: insecure access to a registry. type: boolean providers: - description: 'Providers specifies a - list of OCI Registry names, whose - authentication providers are provided. - It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -1995,23 +1856,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list - of secrets that are provided for credentials. + description: |- + Secrets specifies a list of secrets that are provided for credentials. Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -2024,15 +1885,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON @@ -2045,42 +1905,41 @@ spec: description: Foreach declares a nested foreach iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which the - validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string order: - description: Order defines the iteration order on - the list. Can be Ascending to iterate from first - to last element or Descending to iterate in from - last to first element. + description: |- + Order defines the iteration order on the list. + Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element. enum: - Ascending - Descending type: string patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge - patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 - JSON Patch declarations used to modify resources. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, all of the conditions need to - pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -2094,13 +1953,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -2120,20 +1977,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, at least one of the conditions - need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -2147,13 +2002,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -2173,10 +2026,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -2185,14 +2037,15 @@ spec: type: object type: array patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge patch - used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON - Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string targets: description: Targets defines the target resources to be @@ -2208,15 +2061,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data @@ -2238,14 +2090,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -2260,25 +2110,24 @@ spec: JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate the server certificate. type: string url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -2296,8 +2145,8 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. properties: imageRegistryCredentials: @@ -2310,11 +2159,9 @@ spec: insecure access to a registry. type: boolean providers: - description: 'Providers specifies a - list of OCI Registry names, whose - authentication providers are provided. - It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -2328,23 +2175,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list - of secrets that are provided for credentials. + description: |- + Secrets specifies a list of secrets that are provided for credentials. Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -2357,15 +2204,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON @@ -2384,13 +2230,12 @@ spec: description: Namespace specifies resource namespace. type: string preconditions: - description: 'Preconditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. A direct list - of conditions (without `any` or `all` statements - is supported for backwards compatibility but will - be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true uid: description: UID specifies the resource uid. @@ -2404,27 +2249,32 @@ spec: maxLength: 63 type: string preconditions: - description: 'Preconditions are used to determine if a policy - rule should be applied by evaluating a set of conditions. - The declaration can contain nested `any` or `all` statements. - A direct list of conditions (without `any` or `all` statements - is supported for backwards compatibility but will be deprecated - in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true skipBackgroundRequests: default: true - description: SkipBackgroundRequests bypasses admission requests - that are sent by the background controller. The default value - is set to "true", it must be set to "false" to apply generate - and mutateExisting rules to those requests. + description: |- + SkipBackgroundRequests bypasses admission requests that are sent by the background controller. + The default value is set to "true", it must be set to "false" to apply + generate and mutateExisting rules to those requests. type: boolean validate: description: Validation is used to validate matching resources. properties: + allowExistingViolations: + default: true + description: AllowExistingViolations allows prexisting violating + resources to continue violating a policy. + type: boolean anyPattern: - description: AnyPattern specifies list of validation patterns. - At least one of the patterns must be satisfied for the - validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true cel: description: CEL allows validation checks using the Common @@ -2439,39 +2289,45 @@ spec: an audit annotation for an API request. properties: key: - description: "key specifies the audit annotation - key. The audit annotation keys of a ValidatingAdmissionPolicy - must be unique. The key must be a qualified - name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than - 63 bytes in length. \n The key is combined with - the resource name of the ValidatingAdmissionPolicy - to construct an audit annotation key: \"{ValidatingAdmissionPolicy - name}/{key}\". \n If an admission webhook uses - the same resource name as this ValidatingAdmissionPolicy - and the same audit annotation key, the annotation - key will be identical. In this case, the first - annotation written with the key will be included - in the audit event and all subsequent annotations - with the same key will be discarded. \n Required." + description: |- + key specifies the audit annotation key. The audit annotation keys of + a ValidatingAdmissionPolicy must be unique. The key must be a qualified + name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length. + + + The key is combined with the resource name of the + ValidatingAdmissionPolicy to construct an audit annotation key: + "{ValidatingAdmissionPolicy name}/{key}". + + + If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy + and the same audit annotation key, the annotation key will be identical. + In this case, the first annotation written with the key will be included + in the audit event and all subsequent annotations with the same key + will be discarded. + + + Required. type: string valueExpression: - description: "valueExpression represents the expression - which is evaluated by CEL to produce an audit - annotation value. The expression must evaluate - to either a string or null value. If the expression - evaluates to a string, the audit annotation - is included with the string value. If the expression - evaluates to null or empty string the audit - annotation will be omitted. The valueExpression - may be no longer than 5kb in length. If the - result of the valueExpression is more than 10kb - in length, it will be truncated to 10kb. \n - If multiple ValidatingAdmissionPolicyBinding - resources match an API request, then the valueExpression - will be evaluated for each binding. All unique - values produced by the valueExpressions will - be joined together in a comma-separated list. - \n Required." + description: |- + valueExpression represents the expression which is evaluated by CEL to + produce an audit annotation value. The expression must evaluate to either + a string or null value. If the expression evaluates to a string, the + audit annotation is included with the string value. If the expression + evaluates to null or empty string the audit annotation will be omitted. + The valueExpression may be no longer than 5kb in length. + If the result of the valueExpression is more than 10kb in length, it + will be truncated to 10kb. + + + If multiple ValidatingAdmissionPolicyBinding resources match an + API request, then the valueExpression will be evaluated for + each binding. All unique values produced by the valueExpressions + will be joined together in a comma-separated list. + + + Required. type: string required: - key @@ -2487,113 +2343,99 @@ spec: properties: expression: description: "Expression represents the expression - which will be evaluated by CEL. ref: https://github.com/google/cel-spec - CEL expressions have access to the contents - of the API request/response, organized into - CEL variables as well as some other useful variables: - \n - 'object' - The object from the incoming - request. The value is null for DELETE requests. - - 'oldObject' - The existing object. The value - is null for CREATE requests. - 'request' - Attributes - of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - - 'params' - Parameter resource referred to - by the policy binding being evaluated. Only - populated if the policy has a ParamKind. - 'namespaceObject' + which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL + expressions have access to the contents of the + API request/response, organized into CEL variables + as well as some other useful variables:\n\n\n- + 'object' - The object from the incoming request. + The value is null for DELETE requests.\n- 'oldObject' + - The existing object. The value is null for + CREATE requests.\n- 'request' - Attributes of + the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- + 'params' - Parameter resource referred to by + the policy binding being evaluated. Only populated + if the policy has a ParamKind.\n- 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped - resources. - 'variables' - Map of composited + resources.\n- 'variables' - Map of composited variables, from its name to its lazily evaluated - value. For example, a variable named 'foo' can - be accessed as 'variables.foo'. - 'authorizer' + value.\n For example, a variable named 'foo' + can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) - of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - - 'authorizer.requestResource' - A CEL ResourceCheck + of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured - with the request resource. \n The `apiVersion`, + with the\n request resource.\n\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` - are always accessible from the root of the object. - No other metadata properties are accessible. - \n Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` - are accessible. Accessible property names are + are always accessible from the root of the\nobject. + No other metadata properties are accessible.\n\n\nOnly + property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` + are accessible.\nAccessible property names are escaped according to the following rules when - accessed in the expression: - '__' escapes to - '__underscores__' - '.' escapes to '__dot__' - - '-' escapes to '__dash__' - '/' escapes to - '__slash__' - Property names that exactly match + accessed in the expression:\n- '__' escapes + to '__underscores__'\n- '.' escapes to '__dot__'\n- + '-' escapes to '__dash__'\n- '/' escapes to + '__slash__'\n- Property names that exactly match a CEL RESERVED keyword escape to '__{keyword}__'. - The keywords are: \"true\", \"false\", \"null\", - \"in\", \"as\", \"break\", \"const\", \"continue\", - \"else\", \"for\", \"function\", \"if\", \"import\", - \"let\", \"loop\", \"package\", \"namespace\", - \"return\". Examples: - Expression accessing - a property named \"namespace\": {\"Expression\": - \"object.__namespace__ > 0\"} - Expression accessing - a property named \"x-prop\": {\"Expression\": - \"object.x__dash__prop > 0\"} - Expression accessing - a property named \"redact__d\": {\"Expression\": - \"object.redact__underscores__d > 0\"} \n Equality - on arrays with list type of 'set' or 'map' ignores - element order, i.e. [1, 2] == [2, 1]. Concatenation - on arrays with x-kubernetes-list-type use the - semantics of the list type: - 'set': `X + Y` - performs a union where the array positions of - all elements in `X` are preserved and non-intersecting + The keywords are:\n\t \"true\", \"false\", + \"null\", \"in\", \"as\", \"break\", \"const\", + \"continue\", \"else\", \"for\", \"function\", + \"if\",\n\t \"import\", \"let\", \"loop\", + \"package\", \"namespace\", \"return\".\nExamples:\n + \ - Expression accessing a property named \"namespace\": + {\"Expression\": \"object.__namespace__ > 0\"}\n + \ - Expression accessing a property named \"x-prop\": + {\"Expression\": \"object.x__dash__prop > 0\"}\n + \ - Expression accessing a property named \"redact__d\": + {\"Expression\": \"object.redact__underscores__d + > 0\"}\n\n\nEquality on arrays with list type + of 'set' or 'map' ignores element order, i.e. + [1, 2] == [2, 1].\nConcatenation on arrays with + x-kubernetes-list-type use the semantics of + the list type:\n - 'set': `X + Y` performs + a union where the array positions of all elements + in `X` are preserved and\n non-intersecting elements in `Y` are appended, retaining their - partial order. - 'map': `X + Y` performs a merge - where the array positions of all keys in `X` - are preserved but the values are overwritten - by values in `Y` when the key sets of `X` and - `Y` intersect. Elements in `Y` with non-intersecting - keys are appended, retaining their partial order. - Required." + partial order.\n - 'map': `X + Y` performs + a merge where the array positions of all keys + in `X` are preserved but the values\n are + overwritten by values in `Y` when the key sets + of `X` and `Y` intersect. Elements in `Y` with\n + \ non-intersecting keys are appended, retaining + their partial order.\nRequired." type: string message: - description: 'Message represents the message displayed - when validation fails. The message is required - if the Expression contains line breaks. The - message must not contain line breaks. If unset, - the message is "failed rule: {Rule}". e.g. "must - be a URL with the host matching spec.host" If - the Expression contains line breaks. Message - is required. The message must not contain line - breaks. If unset, the message is "failed Expression: - {Expression}".' + description: |- + Message represents the message displayed when validation fails. The message is required if the Expression contains + line breaks. The message must not contain line breaks. + If unset, the message is "failed rule: {Rule}". + e.g. "must be a URL with the host matching spec.host" + If the Expression contains line breaks. Message is required. + The message must not contain line breaks. + If unset, the message is "failed Expression: {Expression}". type: string messageExpression: - description: 'messageExpression declares a CEL - expression that evaluates to the validation - failure message that is returned when this rule - fails. Since messageExpression is used as a - failure message, it must evaluate to a string. - If both message and messageExpression are present - on a validation, then messageExpression will - be used if validation fails. If messageExpression - results in a runtime error, the runtime error - is logged, and the validation failure message - is produced as if the messageExpression field - were unset. If messageExpression evaluates to - an empty string, a string with only spaces, - or a string that contains line breaks, then - the validation failure message will also be - produced as if the messageExpression field were - unset, and the fact that messageExpression produced - an empty string/string with only spaces/string - with line breaks will be logged. messageExpression - has access to all the same variables as the - `expression` except for ''authorizer'' and ''authorizer.requestResource''. - Example: "object.x must be less than max ("+string(params.max)+")"' + description: |- + messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. + Since messageExpression is used as a failure message, it must evaluate to a string. + If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. + If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced + as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string + that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and + the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. + messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'. + Example: + "object.x must be less than max ("+string(params.max)+")" type: string reason: - description: 'Reason represents a machine-readable - description of why this validation failed. If - this is the first validation in the list to - fail, this reason, as well as the corresponding - HTTP response code, are used in the HTTP response - to the client. The currently supported reasons - are: "Unauthorized", "Forbidden", "Invalid", - "RequestEntityTooLarge". If not set, StatusReasonInvalid - is used in the response to the client.' + description: |- + Reason represents a machine-readable description of why this validation failed. + If this is the first validation in the list to fail, this reason, as well as the + corresponding HTTP response code, are used in the + HTTP response to the client. + The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge". + If not set, StatusReasonInvalid is used in the response to the client. type: string required: - expression @@ -2604,13 +2446,15 @@ spec: Version. properties: apiVersion: - description: APIVersion is the API group version - the resources belong to. In format of "group/version". + description: |- + APIVersion is the API group version the resources belong to. + In format of "group/version". Required. type: string kind: - description: Kind is the API kind the resources - belong to. Required. + description: |- + Kind is the API kind the resources belong to. + Required. type: string type: object x-kubernetes-map-type: atomic @@ -2618,77 +2462,82 @@ spec: description: ParamRef references a parameter resource. properties: name: - description: "`name` is the name of the resource - being referenced. \n `name` and `selector` are - mutually exclusive properties. If one is set, - the other must be unset." + description: |- + `name` is the name of the resource being referenced. + + + `name` and `selector` are mutually exclusive properties. If one is set, + the other must be unset. type: string namespace: - description: "namespace is the namespace of the - referenced resource. Allows limiting the search - for params to a specific namespace. Applies to - both `name` and `selector` fields. \n A per-namespace - parameter may be used by specifying a namespace-scoped - `paramKind` in the policy and leaving this field - empty. \n - If `paramKind` is cluster-scoped, - this field MUST be unset. Setting this field results - in a configuration error. \n - If `paramKind` - is namespace-scoped, the namespace of the object - being evaluated for admission will be used when - this field is left unset. Take care that if this - is left empty the binding must not match any cluster-scoped - resources, which will result in an error." + description: |- + namespace is the namespace of the referenced resource. Allows limiting + the search for params to a specific namespace. Applies to both `name` and + `selector` fields. + + + A per-namespace parameter may be used by specifying a namespace-scoped + `paramKind` in the policy and leaving this field empty. + + + - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this + field results in a configuration error. + + + - If `paramKind` is namespace-scoped, the namespace of the object being + evaluated for admission will be used when this field is left unset. Take + care that if this is left empty the binding must not match any cluster-scoped + resources, which will result in an error. type: string parameterNotFoundAction: - description: "`parameterNotFoundAction` controls - the behavior of the binding when the resource - exists, and name or selector is valid, but there - are no parameters matched by the binding. If the - value is set to `Allow`, then no matched parameters - will be treated as successful validation by the - binding. If set to `Deny`, then no matched parameters - will be subject to the `failurePolicy` of the - policy. \n Allowed values are `Allow` or `Deny` - Default to `Deny`" + description: |- + `parameterNotFoundAction` controls the behavior of the binding when the resource + exists, and name or selector is valid, but there are no parameters + matched by the binding. If the value is set to `Allow`, then no + matched parameters will be treated as successful validation by the binding. + If set to `Deny`, then no matched parameters will be subject to the + `failurePolicy` of the policy. + + + Allowed values are `Allow` or `Deny` + Default to `Deny` type: string selector: - description: "selector can be used to match multiple - param objects based on their labels. Supply selector: - {} to match all resources of the ParamKind. \n - If multiple params are found, they are all evaluated - with the policy expressions and the results are - ANDed together. \n One of `name` or `selector` - must be set, but `name` and `selector` are mutually - exclusive properties. If one is set, the other - must be unset." + description: |- + selector can be used to match multiple param objects based on their labels. + Supply selector: {} to match all resources of the ParamKind. + + + If multiple params are found, they are all evaluated with the policy expressions + and the results are ANDed together. + + + One of `name` or `selector` must be set, but `name` and `selector` are + mutually exclusive properties. If one is set, the other must be unset. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -2701,40 +2550,34 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object x-kubernetes-map-type: atomic variables: - description: Variables contain definitions of variables - that can be used in composition of other expressions. + description: |- + Variables contain definitions of variables that can be used in composition of other expressions. Each variable is defined as a named CEL expression. - The variables defined here will be available under - `variables` in other expressions of the policy. + The variables defined here will be available under `variables` in other expressions of the policy. items: description: Variable is the definition of a variable that is used for composition. properties: expression: - description: Expression is the expression that - will be evaluated as the value of the variable. - The CEL expression has access to the same identifiers - as the CEL expressions in Validation. + description: |- + Expression is the expression that will be evaluated as the value of the variable. + The CEL expression has access to the same identifiers as the CEL expressions in Validation. type: string name: - description: Name is the name of the variable. - The name must be a valid CEL identifier and - unique among all variables. The variable can - be accessed in other expressions through `variables` - For example, if name is "foo", the variable - will be available as `variables.foo` + description: |- + Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables. + The variable can be accessed in other expressions through `variables` + For example, if name is "foo", the variable will be available as `variables.foo` type: string required: - expression @@ -2747,11 +2590,11 @@ spec: a validation rule. properties: conditions: - description: 'Multiple conditions can be declared under - an `any` or `all` statement. A direct list of conditions - (without `any` or `all` statements) is also supported - for backwards compatibility but will be deprecated - in the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object foreach: @@ -2765,23 +2608,22 @@ spec: the specified logic. properties: anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must be satisfied - for the validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true context: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data @@ -2803,14 +2645,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -2825,25 +2665,24 @@ spec: JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate the server certificate. type: string url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -2861,8 +2700,8 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. properties: imageRegistryCredentials: @@ -2875,11 +2714,9 @@ spec: insecure access to a registry. type: boolean providers: - description: 'Providers specifies a - list of OCI Registry names, whose - authentication providers are provided. - It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -2893,23 +2730,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list - of secrets that are provided for credentials. + description: |- + Secrets specifies a list of secrets that are provided for credentials. Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -2922,15 +2759,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON @@ -2944,47 +2780,43 @@ spec: or fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct - list of conditions (without `any` or `all` statements) - is also supported for backwards compatibility + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object elementScope: - description: ElementScope specifies whether to use - the current list element as the scope for validation. - Defaults to "true" if not specified. When set to - "false", "request.object" is used as the validation - scope within the foreach block to allow referencing - other elements in the subtree. + description: |- + ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified. + When set to "false", "request.object" is used as the validation scope within the foreach + block to allow referencing other elements in the subtree. type: boolean foreach: description: Foreach declares a nested foreach iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which the - validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string pattern: description: Pattern specifies an overlay-style pattern used to check resources. x-kubernetes-preserve-unknown-fields: true preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, all of the conditions need to - pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -2998,13 +2830,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -3024,20 +2854,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, at least one of the conditions - need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -3051,13 +2879,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -3077,10 +2903,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -3102,31 +2927,25 @@ spec: items: properties: count: - description: Count specifies the required number - of entries that must match. If the count is - null, all entries must match (a logical AND). - If the count is 1, at least one entry must match - (a logical OR). If the count contains a value - N, then N must be less than or equal to the - size of entries, and at least N entries must - match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available attestors. - An attestor can be a static key, attributes - for keyless verification, or a nested attestor - declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for image - verification. Every specified key-value - pair must exist and match in the verified - payload. The payload may contain other - key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set of @@ -3147,19 +2966,14 @@ spec: to verify. type: string ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate Timestamps - (SCTs). If the value is unset, the - default behavior by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate - Timestamp (SCT) log to check for - a certificate timestamp. Default - is false. Set to true if this - was opted out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -3167,33 +2981,25 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the root - CA certificate. Optionally may - contain intermediate CA certificates, - and may contain the leaf TSA certificate - if not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use - for a custom Rekor. If set, this - will be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -3204,8 +3010,8 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: @@ -3216,19 +3022,14 @@ spec: signing. type: object ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate Timestamps - (SCTs). If the value is unset, the - default behavior by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate - Timestamp (SCT) log to check for - a certificate timestamp. Default - is false. Set to true if this - was opted out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -3236,14 +3037,10 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the root - CA certificate. Optionally may - contain intermediate CA certificates, - and may contain the leaf TSA certificate - if not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -3251,22 +3048,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use - for a custom Rekor. If set, this - will be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -3276,10 +3069,9 @@ spec: type: string type: object roots: - description: Roots is an optional set - of PEM encoded trusted root certificates. - If not provided, the system roots - are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -3292,19 +3084,14 @@ spec: public keys. properties: ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate Timestamps - (SCTs). If the value is unset, the - default behavior by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate - Timestamp (SCT) log to check for - a certificate timestamp. Default - is false. Set to true if this - was opted out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -3312,57 +3099,41 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the root - CA certificate. Optionally may - contain intermediate CA certificates, - and may contain the leaf TSA certificate - if not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI to - the public key stored in a Key Management - System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image signatures. - The keys can be directly specified - or can be a variable reference to - a key specified in a ConfigMap (see - https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster by - specifying it in the format "k8s:///". - The named Secret must specify a key - `cosign.pub` containing the public - key used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each - key is processed as a separate staticKey - entry (.attestors[*].entries.keys) - within the set of attestors and the - count is applied across the keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use - for a custom Rekor. If set, this - will be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -3396,12 +3167,9 @@ spec: type: string type: object repository: - description: Repository is an optional alternate - OCI repository to use for signatures and - attestations that match this rule. If - specified Repository will override other - OCI image repository locations for this - Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -3442,9 +3210,9 @@ spec: type: object type: array repository: - description: Repository is an optional alternate OCI - repository to use for resource bundle reference. The - repository can be overridden per Attestor or Attestation. + description: |- + Repository is an optional alternate OCI repository to use for resource bundle reference. + The repository can be overridden per Attestor or Attestation. type: string type: object message: @@ -3456,9 +3224,9 @@ spec: used to check resources. x-kubernetes-preserve-unknown-fields: true podSecurity: - description: PodSecurity applies exemptions for Kubernetes - Pod Security admission by specifying exclusions for Pod - Security Standards controls. + description: |- + PodSecurity applies exemptions for Kubernetes Pod Security admission + by specifying exclusions for Pod Security Standards controls. properties: exclude: description: Exclude specifies the Pod Security Standard @@ -3468,8 +3236,9 @@ spec: Security Standard controls to be excluded. properties: controlName: - description: 'ControlName specifies the name of - the Pod Security Standard control. See: https://kubernetes.io/docs/concepts/security/pod-security-standards/' + description: |- + ControlName specifies the name of the Pod Security Standard control. + See: https://kubernetes.io/docs/concepts/security/pod-security-standards/ enum: - HostProcess - Host Namespaces @@ -3488,13 +3257,11 @@ spec: - Running as Non-root user type: string images: - description: 'Images selects matching containers - and applies the container level PSS. Each image - is the image name consisting of the registry - address, repository, image, and tag. Empty list - matches no containers, PSS checks are applied - at the pod level only. Wildcards (''*'' and - ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' + description: |- + Images selects matching containers and applies the container level PSS. + Each image is the image name consisting of the registry address, repository, image, and tag. + Empty list matches no containers, PSS checks are applied at the pod level only. + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -3503,19 +3270,18 @@ spec: type: object type: array level: - description: Level defines the Pod Security Standard - level to be applied to workloads. Allowed values are - privileged, baseline, and restricted. + description: |- + Level defines the Pod Security Standard level to be applied to workloads. + Allowed values are privileged, baseline, and restricted. enum: - privileged - baseline - restricted type: string version: - description: Version defines the Pod Security Standard - versions that Kubernetes supports. Allowed values - are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, - v1.26, latest. Defaults to latest. + description: |- + Version defines the Pod Security Standard versions that Kubernetes supports. + Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, latest. Defaults to latest. enum: - v1.19 - v1.20 @@ -3533,10 +3299,10 @@ spec: description: VerifyImages is used to verify image signatures and mutate them to add a digest items: - description: ImageVerification validates that images that - match the specified pattern are signed with the supplied - public key. Once the image is verified it is mutated to - include the SHA digest retrieved during the registration. + description: |- + ImageVerification validates that images that match the specified pattern + are signed with the supplied public key. Once the image is verified it is + mutated to include the SHA digest retrieved during the registration. properties: additionalExtensions: additionalProperties: @@ -3550,16 +3316,15 @@ spec: instead. type: object attestations: - description: Attestations are optional checks for signed - in-toto Statements used to verify the image. See https://github.com/in-toto/attestation. - Kyverno fetches signed attestations from the OCI registry - and decodes them into a list of Statement declarations. + description: |- + Attestations are optional checks for signed in-toto Statements used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statement declarations. items: - description: Attestation are checks for signed in-toto - Statements that are used to verify the image. See - https://github.com/in-toto/attestation. Kyverno fetches - signed attestations from the OCI registry and decodes - them into a list of Statements. + description: |- + Attestation are checks for signed in-toto Statements that are used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statements. properties: attestors: description: Attestors specify the required attestors @@ -3567,31 +3332,25 @@ spec: items: properties: count: - description: Count specifies the required - number of entries that must match. If the - count is null, all entries must match (a - logical AND). If the count is 1, at least - one entry must match (a logical OR). If - the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or - a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set @@ -3612,21 +3371,14 @@ spec: used to verify. type: string ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -3634,36 +3386,25 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -3674,9 +3415,9 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless - attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: additionalProperties: @@ -3686,21 +3427,14 @@ spec: for keyless signing. type: object ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -3708,15 +3442,10 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -3724,24 +3453,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -3751,10 +3474,9 @@ spec: type: string type: object roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, - the system roots are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -3767,21 +3489,14 @@ spec: public keys. properties: ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -3789,63 +3504,41 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI - to the public key stored in a - Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable - reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -3881,37 +3574,30 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository - will override other OCI image repository - locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array type: object type: array conditions: - description: Conditions are used to verify attributes - within a Predicate. If no Conditions are specified - the attestation check is satisfied as long there - are predicates that match the predicate type. + description: |- + Conditions are used to verify attributes within a Predicate. If no Conditions are specified + the attestation check is satisfied as long there are predicates that match the predicate type. items: - description: AnyAllConditions consists of conditions - wrapped denoting a logical criteria to be fulfilled. - AnyConditions get fulfilled when at least one - of its sub-conditions passes. AllConditions - get fulfilled only when all of its sub-conditions - pass. + description: |- + AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled. + AnyConditions get fulfilled when at least one of its sub-conditions passes. + AllConditions get fulfilled only when all of its sub-conditions pass. properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -3926,14 +3612,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -3953,20 +3636,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -3981,14 +3662,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -4008,10 +3686,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -4033,29 +3710,25 @@ spec: items: properties: count: - description: Count specifies the required number - of entries that must match. If the count is null, - all entries must match (a logical AND). If the - count is 1, at least one entry must match (a logical - OR). If the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available attestors. - An attestor can be a static key, attributes for - keyless verification, or a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for image - verification. Every specified key-value - pair must exist and match in the verified - payload. The payload may contain other key-value - pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set of Attestor @@ -4076,19 +3749,14 @@ spec: to verify. type: string ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for validation - of Signed Certificate Timestamps (SCTs). - If the value is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate Timestamp - (SCT) log to check for a certificate - timestamp. Default is false. Set - to true if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is used @@ -4096,33 +3764,25 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate chain - file for the RFC3161 timestamp authority. - Must contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use for - a custom Rekor. If set, this will - be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address of @@ -4132,8 +3792,8 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: @@ -4144,19 +3804,14 @@ spec: signing. type: object ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for validation - of Signed Certificate Timestamps (SCTs). - If the value is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate Timestamp - (SCT) log to check for a certificate - timestamp. Default is false. Set - to true if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is used @@ -4164,14 +3819,10 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate chain - file for the RFC3161 timestamp authority. - Must contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -4179,22 +3830,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use for - a custom Rekor. If set, this will - be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address of @@ -4203,10 +3850,9 @@ spec: type: string type: object roots: - description: Roots is an optional set - of PEM encoded trusted root certificates. - If not provided, the system roots are - used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified identity @@ -4219,19 +3865,14 @@ spec: keys. properties: ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for validation - of Signed Certificate Timestamps (SCTs). - If the value is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate Timestamp - (SCT) log to check for a certificate - timestamp. Default is false. Set - to true if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is used @@ -4239,56 +3880,41 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate chain - file for the RFC3161 timestamp authority. - Must contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI to - the public key stored in a Key Management - System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 public - keys used to verify image signatures. - The keys can be directly specified or - can be a variable reference to a key - specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes Secret - elsewhere in the cluster by specifying - it in the format "k8s:///". - The named Secret must specify a key - `cosign.pub` containing the public key - used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each - key is processed as a separate staticKey - entry (.attestors[*].entries.keys) within - the set of attestors and the count is - applied across the keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use for - a custom Rekor. If set, this will - be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address of @@ -4321,11 +3947,9 @@ spec: type: string type: object repository: - description: Repository is an optional alternate - OCI repository to use for signatures and - attestations that match this rule. If specified - Repository will override other OCI image - repository locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -4335,13 +3959,11 @@ spec: description: Deprecated. Use ImageReferences instead. type: string imageReferences: - description: 'ImageReferences is a list of matching image - reference patterns. At least one pattern in the list - must match the image for the rule to apply. Each image - reference consists of a registry address (defaults to - docker.io), repository, image, and tag (defaults to - latest). Wildcards (''*'' and ''?'') are allowed. See: - https://kubernetes.io/docs/concepts/containers/images.' + description: |- + ImageReferences is a list of matching image reference patterns. At least one pattern in the + list must match the image for the rule to apply. Each image reference consists of a registry + address (defaults to docker.io), repository, image, and tag (defaults to latest). + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -4354,9 +3976,9 @@ spec: access to a registry. type: boolean providers: - description: 'Providers specifies a list of OCI Registry - names, whose authentication providers are provided. - It can be of one of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers required. @@ -4369,9 +3991,9 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets that - are provided for credentials. Secrets must live - in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array @@ -4384,16 +4006,15 @@ spec: type: string mutateDigest: default: true - description: MutateDigest enables replacement of image - tags with digests. Defaults to true. + description: |- + MutateDigest enables replacement of image tags with digests. + Defaults to true. type: boolean repository: - description: Repository is an optional alternate OCI repository - to use for image signatures and attestations that match - this rule. If specified Repository will override the - default OCI image repository configured for the installation. - The repository can also be overridden per Attestor or - Attestation. + description: |- + Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule. + If specified Repository will override the default OCI image repository configured for the installation. + The repository can also be overridden per Attestor or Attestation. type: string required: default: true @@ -4408,9 +4029,9 @@ spec: description: Deprecated. Use KeylessAttestor instead. type: string type: - description: Type specifies the method of signature validation. - The allowed options are Cosign and Notary. By default - Cosign is used if a type is not specified. + description: |- + Type specifies the method of signature validation. The allowed options + are Cosign and Notary. By default Cosign is used if a type is not specified. enum: - Cosign - Notary @@ -4432,23 +4053,23 @@ spec: type: object type: array schemaValidation: - description: SchemaValidation skips validation checks for policies - as well as patched resources. Optional. The default value is set - to "true", it must be set to "false" to disable the validation checks. + description: |- + SchemaValidation skips validation checks for policies as well as patched resources. + Optional. The default value is set to "true", it must be set to "false" to disable the validation checks. type: boolean useServerSideApply: - description: UseServerSideApply controls whether to use server-side - apply for generate rules If is set to "true" create & update for - generate rules will use apply instead of create/update. Defaults - to "false" if not specified. + description: |- + UseServerSideApply controls whether to use server-side apply for generate rules + If is set to "true" create & update for generate rules will use apply instead of create/update. + Defaults to "false" if not specified. type: boolean validationFailureAction: default: Audit - description: ValidationFailureAction defines if a validation policy - rule violation should block the admission review request (enforce), - or allow (audit) the admission review request and report an error - in a policy report. Optional. Allowed values are audit or enforce. - The default value is "Audit". + description: |- + ValidationFailureAction defines if a validation policy rule violation should block + the admission review request (enforce), or allow (audit) the admission review request + and report an error in a policy report. Optional. + Allowed values are audit or enforce. The default value is "Audit". enum: - audit - enforce @@ -4456,9 +4077,9 @@ spec: - Enforce type: string validationFailureActionOverrides: - description: ValidationFailureActionOverrides is a Cluster Policy - attribute that specifies ValidationFailureAction namespace-wise. - It overrides ValidationFailureAction for the specified namespaces. + description: |- + ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction + namespace-wise. It overrides ValidationFailureAction for the specified namespaces. items: properties: action: @@ -4471,34 +4092,34 @@ spec: - Enforce type: string namespaceSelector: - description: A label selector is a label query over a set of - resources. The result of matchLabels and matchExpressions - are ANDed. An empty label selector matches all objects. A - null label selector matches no objects. + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. - If the operator is In or NotIn, the values array - must be non-empty. If the operator is Exists or - DoesNotExist, the values array must be empty. This - array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -4510,11 +4131,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -4525,11 +4145,10 @@ spec: type: object type: array webhookTimeoutSeconds: - description: WebhookTimeoutSeconds specifies the maximum time in seconds - allowed to apply this policy. After the configured time expires, - the admission request may fail, or may simply ignore the policy - results, based on the failure policy. The default timeout is 10s, - the value must be between 1 and 30 seconds. + description: |- + WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. + After the configured time expires, the admission request may fail, or may simply ignore the policy results, + based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds. format: int32 type: integer type: object @@ -4544,51 +4163,49 @@ spec: description: Rules is a list of Rule instances. It contains auto generated rules added for pod controllers items: - description: Rule defines a validation, mutation, or generation - control for matching resources. Each rules contains a match - declaration to select resources, and an optional exclude declaration - to specify which resources to exclude. + description: |- + Rule defines a validation, mutation, or generation control for matching resources. + Each rules contains a match declaration to select resources, and an optional exclude + declaration to specify which resources to exclude. properties: celPreconditions: - description: CELPreconditions are used to determine if a - policy rule should be applied by evaluating a set of CEL - conditions. It can only be used with the validate.cel - subrule + description: |- + CELPreconditions are used to determine if a policy rule should be applied by evaluating a + set of CEL conditions. It can only be used with the validate.cel subrule items: description: MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook. properties: expression: - description: "Expression represents the expression - which will be evaluated by CEL. Must evaluate to - bool. CEL expressions have access to the contents - of the AdmissionRequest and Authorizer, organized - into CEL variables: \n 'object' - The object from - the incoming request. The value is null for DELETE - requests. 'oldObject' - The existing object. The - value is null for CREATE requests. 'request' - Attributes - of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). - 'authorizer' - A CEL Authorizer. May be used to - perform authorization checks for the principal (user - or service account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - 'authorizer.requestResource' - A CEL ResourceCheck - constructed from the 'authorizer' and configured - with the request resource. Documentation on CEL: - https://kubernetes.io/docs/reference/using-api/cel/ - \n Required." + description: |- + Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. + CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: + + + 'object' - The object from the incoming request. The value is null for DELETE requests. + 'oldObject' - The existing object. The value is null for CREATE requests. + 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. + See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the + request resource. + Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ + + + Required. type: string name: - description: "Name is an identifier for this match - condition, used for strategic merging of MatchConditions, - as well as providing an identifier for logging purposes. - A good name should be descriptive of the associated - expression. Name must be a qualified name consisting - of alphanumeric characters, '-', '_' or '.', and - must start and end with an alphanumeric character - (e.g. 'MyName', or 'my.name', or '123-abc', regex - used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') - with an optional DNS subdomain prefix and '/' (e.g. - 'example.com/MyName') \n Required." + description: |- + Name is an identifier for this match condition, used for strategic merging of MatchConditions, + as well as providing an identifier for logging purposes. A good name should be descriptive of + the associated expression. + Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and + must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or + '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an + optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') + + + Required. type: string required: - expression @@ -4599,15 +4216,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data sources - to a rule Context. Either a ConfigMap reference or a - APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the Kubernetes - API server, or other JSON web service. The data - returned is stored in the context with the name - for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data sent @@ -4629,13 +4245,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON Match - Expression that can be used to transform the - JSON response returned from the server. For - example a JMESPath of "items | length(@)" applied - to the API server response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across - all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -4650,23 +4265,24 @@ spec: web service properties: caBundle: - description: CABundle is a PEM encoded CA - bundle which will be used to validate the - server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web service URL. - A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to be used - in the HTTP GET or POST request to the Kubernetes - API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used - by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -4683,8 +4299,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests to an - OCI/Docker V2 registry to fetch image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials provides @@ -4696,10 +4313,9 @@ spec: insecure access to a registry. type: boolean providers: - description: 'Providers specifies a list of - OCI Registry names, whose authentication - providers are provided. It can be of one - of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers @@ -4713,23 +4329,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets - that are provided for credentials. Secrets - must live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON Match - Expression that can be used to transform the - ImageData struct returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference to - a container image in the registry. Example: - ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -4742,14 +4358,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take if the - JMESPath expression evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform the - variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON object @@ -4759,11 +4375,10 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when this policy rule - should not be applied. The exclude criteria can include - resource information (e.g. kind, name, namespace, labels) - and admission review request information like the name - or role. + description: |- + ExcludeResources defines when this policy rule should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. properties: all: description: All allows specifying resources which will @@ -4785,10 +4400,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -4797,60 +4411,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -4863,20 +4466,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -4897,44 +4497,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -4947,12 +4538,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -4967,36 +4556,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -5026,10 +4607,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -5038,60 +4618,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -5104,20 +4673,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -5138,44 +4704,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -5188,12 +4745,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -5208,36 +4763,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -5254,21 +4801,19 @@ spec: type: string type: array resources: - description: ResourceDescription contains information - about the resource being created or modified. Requires - at least one tag to be specified when under MatchResources. - Specifying ResourceDescription directly under match - is being deprecated. Please specify under "any" or - "all" instead. + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" - (matches zero or many characters) and "?" (matches - at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -5276,57 +4821,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated in - favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key and - value but does not match an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -5339,20 +4876,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -5372,42 +4906,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) - and `?` (matches one character). Wildcards allows - writing label selectors like ["storage.k8s.io/*": - "*"]. Note that using ["*" : "*"] matches any - key and value but does not match an empty label - set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -5420,12 +4947,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -5440,32 +4965,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or - a value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the - referenced subject. Defaults to "" for ServiceAccount - subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the - Authorizer should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -5481,11 +5002,10 @@ spec: description: APIVersion specifies resource apiVersion. type: string clone: - description: Clone specifies the source resource used - to populate each generated resource. At most one of - Data or Clone can be specified. If neither are provided, - the generated resource will be created with default - data only. + description: |- + Clone specifies the source resource used to populate each generated resource. + At most one of Data or Clone can be specified. If neither are provided, the generated + resource will be created with default data only. properties: name: description: Name specifies name of the resource. @@ -5509,37 +5029,33 @@ spec: namespace. type: string selector: - description: Selector is a label selector. Label - keys and values in `matchLabels`. wildcard characters - are not supported. + description: |- + Selector is a label selector. Label keys and values in `matchLabels`. + wildcard characters are not supported. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -5552,22 +5068,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object data: - description: Data provides the resource declaration - used to populate each generated resource. At most - one of Data or Clone must be specified. If neither - are provided, the generated resource will be created - with default data only. + description: |- + Data provides the resource declaration used to populate each generated resource. + At most one of Data or Clone must be specified. If neither are provided, the generated + resource will be created with default data only. x-kubernetes-preserve-unknown-fields: true kind: description: Kind specifies resource kind. @@ -5579,11 +5092,10 @@ spec: description: Namespace specifies resource namespace. type: string synchronize: - description: Synchronize controls if generated resources - should be kept in-sync with their source resource. - If Synchronize is set to "true" changes to generated - resources will be overwritten with resource data from - Data or the resource specified in the Clone declaration. + description: |- + Synchronize controls if generated resources should be kept in-sync with their source resource. + If Synchronize is set to "true" changes to generated resources will be overwritten with resource + data from Data or the resource specified in the Clone declaration. Optional. Defaults to "false" if not specified. type: boolean uid: @@ -5595,50 +5107,46 @@ spec: items: properties: jmesPath: - description: 'JMESPath is an optional JMESPath expression - to apply to the image value. This is useful when - the extracted image begins with a prefix like - ''docker://''. The ''trim_prefix'' function may - be used to trim the prefix: trim_prefix(@, ''docker://''). - Note - Image digest mutation may not be used when - applying a JMESPAth to an image.' + description: |- + JMESPath is an optional JMESPath expression to apply to the image value. + This is useful when the extracted image begins with a prefix like 'docker://'. + The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://'). + Note - Image digest mutation may not be used when applying a JMESPAth to an image. type: string key: - description: Key is an optional name of the field - within 'path' that will be used to uniquely identify - an image. Note - this field MUST be unique. + description: |- + Key is an optional name of the field within 'path' that will be used to uniquely identify an image. + Note - this field MUST be unique. type: string name: - description: Name is the entry the image will be - available under 'images.' in the context. - If this field is not defined, image entries will - appear under 'images.custom'. + description: |- + Name is the entry the image will be available under 'images.' in the context. + If this field is not defined, image entries will appear under 'images.custom'. type: string path: - description: Path is the path to the object containing - the image field in a custom resource. It should - be slash-separated. Each slash-separated key must - be a valid YAML key or a wildcard '*'. Wildcard - keys are expanded in case of arrays or objects. + description: |- + Path is the path to the object containing the image field in a custom resource. + It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'. + Wildcard keys are expanded in case of arrays or objects. type: string value: - description: Value is an optional name of the field - within 'path' that points to the image URI. This - is useful when a custom 'key' is also defined. + description: |- + Value is an optional name of the field within 'path' that points to the image URI. + This is useful when a custom 'key' is also defined. type: string required: - path type: object type: array - description: ImageExtractors defines a mapping from kinds - to ImageExtractorConfigs. This config is only valid for - verifyImages rules. + description: |- + ImageExtractors defines a mapping from kinds to ImageExtractorConfigs. + This config is only valid for verifyImages rules. type: object match: - description: MatchResources defines when this policy rule - should be applied. The match criteria can include resource - information (e.g. kind, name, namespace, labels) and admission - review request information like the user name or role. + description: |- + MatchResources defines when this policy rule should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. At least one kind is required. properties: all: @@ -5661,10 +5169,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -5673,60 +5180,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -5739,20 +5235,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -5773,44 +5266,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -5823,12 +5307,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -5843,36 +5325,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -5902,10 +5376,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -5914,60 +5387,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -5980,20 +5442,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -6014,44 +5473,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -6064,12 +5514,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -6084,36 +5532,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -6130,21 +5570,19 @@ spec: type: string type: array resources: - description: ResourceDescription contains information - about the resource being created or modified. Requires - at least one tag to be specified when under MatchResources. - Specifying ResourceDescription directly under match - is being deprecated. Please specify under "any" or - "all" instead. + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" - (matches zero or many characters) and "?" (matches - at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -6152,57 +5590,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated in - favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key and - value but does not match an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -6215,20 +5645,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -6248,42 +5675,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) - and `?` (matches one character). Wildcards allows - writing label selectors like ["storage.k8s.io/*": - "*"]. Note that using ["*" : "*"] matches any - key and value but does not match an empty label - set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -6296,12 +5716,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -6316,32 +5734,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or - a value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the - referenced subject. Defaults to "" for ServiceAccount - subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the - Authorizer should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -6368,16 +5782,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST @@ -6400,15 +5812,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -6423,25 +5832,23 @@ spec: to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web - service URL. A typical form is + description: |- + URL is the JSON web service URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string @@ -6461,9 +5868,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials @@ -6475,11 +5882,9 @@ spec: allows insecure access to a registry. type: boolean providers: - description: 'Providers specifies - a list of OCI Registry names, - whose authentication providers - are provided. It can be of one - of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -6493,25 +5898,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a - list of secrets that are provided - for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -6525,15 +5928,14 @@ spec: defined inline. properties: default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary @@ -6548,43 +5950,41 @@ spec: iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which - the validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string order: - description: Order defines the iteration order - on the list. Can be Ascending to iterate from - first to last element or Descending to iterate - in from last to first element. + description: |- + Order defines the iteration order on the list. + Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element. enum: - Ascending - Descending type: string patchStrategicMerge: - description: PatchStrategicMerge is a strategic - merge patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC - 6902 JSON Patch declarations used to modify - resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -6599,14 +5999,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -6626,20 +6023,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -6654,14 +6049,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -6681,10 +6073,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -6693,14 +6084,15 @@ spec: type: object type: array patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge - patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON - Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string targets: description: Targets defines the target resources to @@ -6716,16 +6108,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST @@ -6748,15 +6138,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -6771,25 +6158,23 @@ spec: to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web - service URL. A typical form is + description: |- + URL is the JSON web service URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string @@ -6809,9 +6194,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials @@ -6823,11 +6208,9 @@ spec: allows insecure access to a registry. type: boolean providers: - description: 'Providers specifies - a list of OCI Registry names, - whose authentication providers - are provided. It can be of one - of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -6841,25 +6224,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a - list of secrets that are provided - for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -6873,15 +6254,14 @@ spec: defined inline. properties: default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary @@ -6901,14 +6281,12 @@ spec: description: Namespace specifies resource namespace. type: string preconditions: - description: 'Preconditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. A direct list - of conditions (without `any` or `all` statements - is supported for backwards compatibility but + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/preconditions/' + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true uid: description: UID specifies the resource uid. @@ -6922,27 +6300,32 @@ spec: maxLength: 63 type: string preconditions: - description: 'Preconditions are used to determine if a policy - rule should be applied by evaluating a set of conditions. - The declaration can contain nested `any` or `all` statements. - A direct list of conditions (without `any` or `all` statements - is supported for backwards compatibility but will be deprecated - in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true skipBackgroundRequests: default: true - description: SkipBackgroundRequests bypasses admission requests - that are sent by the background controller. The default - value is set to "true", it must be set to "false" to apply + description: |- + SkipBackgroundRequests bypasses admission requests that are sent by the background controller. + The default value is set to "true", it must be set to "false" to apply generate and mutateExisting rules to those requests. type: boolean validate: description: Validation is used to validate matching resources. properties: + allowExistingViolations: + default: true + description: AllowExistingViolations allows prexisting + violating resources to continue violating a policy. + type: boolean anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must be satisfied - for the validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true cel: description: CEL allows validation checks using the @@ -6957,41 +6340,45 @@ spec: produce an audit annotation for an API request. properties: key: - description: "key specifies the audit annotation - key. The audit annotation keys of a ValidatingAdmissionPolicy - must be unique. The key must be a qualified - name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more - than 63 bytes in length. \n The key is combined - with the resource name of the ValidatingAdmissionPolicy - to construct an audit annotation key: \"{ValidatingAdmissionPolicy - name}/{key}\". \n If an admission webhook - uses the same resource name as this ValidatingAdmissionPolicy - and the same audit annotation key, the annotation - key will be identical. In this case, the - first annotation written with the key will - be included in the audit event and all subsequent - annotations with the same key will be discarded. - \n Required." + description: |- + key specifies the audit annotation key. The audit annotation keys of + a ValidatingAdmissionPolicy must be unique. The key must be a qualified + name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length. + + + The key is combined with the resource name of the + ValidatingAdmissionPolicy to construct an audit annotation key: + "{ValidatingAdmissionPolicy name}/{key}". + + + If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy + and the same audit annotation key, the annotation key will be identical. + In this case, the first annotation written with the key will be included + in the audit event and all subsequent annotations with the same key + will be discarded. + + + Required. type: string valueExpression: - description: "valueExpression represents the - expression which is evaluated by CEL to - produce an audit annotation value. The expression - must evaluate to either a string or null - value. If the expression evaluates to a - string, the audit annotation is included - with the string value. If the expression - evaluates to null or empty string the audit - annotation will be omitted. The valueExpression - may be no longer than 5kb in length. If - the result of the valueExpression is more - than 10kb in length, it will be truncated - to 10kb. \n If multiple ValidatingAdmissionPolicyBinding - resources match an API request, then the - valueExpression will be evaluated for each - binding. All unique values produced by the - valueExpressions will be joined together - in a comma-separated list. \n Required." + description: |- + valueExpression represents the expression which is evaluated by CEL to + produce an audit annotation value. The expression must evaluate to either + a string or null value. If the expression evaluates to a string, the + audit annotation is included with the string value. If the expression + evaluates to null or empty string the audit annotation will be omitted. + The valueExpression may be no longer than 5kb in length. + If the result of the valueExpression is more than 10kb in length, it + will be truncated to 10kb. + + + If multiple ValidatingAdmissionPolicyBinding resources match an + API request, then the valueExpression will be evaluated for + each binding. All unique values produced by the valueExpressions + will be joined together in a comma-separated list. + + + Required. type: string required: - key @@ -7007,124 +6394,104 @@ spec: properties: expression: description: "Expression represents the expression - which will be evaluated by CEL. ref: https://github.com/google/cel-spec - CEL expressions have access to the contents + which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL + expressions have access to the contents of the API request/response, organized into CEL variables as well as some other useful - variables: \n - 'object' - The object from - the incoming request. The value is null - for DELETE requests. - 'oldObject' - The - existing object. The value is null for CREATE - requests. - 'request' - Attributes of the - API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - - 'params' - Parameter resource referred - to by the policy binding being evaluated. - Only populated if the policy has a ParamKind. - - 'namespaceObject' - The namespace object + variables:\n\n\n- 'object' - The object + from the incoming request. The value is + null for DELETE requests.\n- 'oldObject' + - The existing object. The value is null + for CREATE requests.\n- 'request' - Attributes + of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- + 'params' - Parameter resource referred to + by the policy binding being evaluated. Only + populated if the policy has a ParamKind.\n- + 'namespaceObject' - The namespace object that the incoming object belongs to. The - value is null for cluster-scoped resources. - - 'variables' - Map of composited variables, - from its name to its lazily evaluated value. - For example, a variable named 'foo' can - be accessed as 'variables.foo'. - 'authorizer' + value is null for cluster-scoped resources.\n- + 'variables' - Map of composited variables, + from its name to its lazily evaluated value.\n + \ For example, a variable named 'foo' can + be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user - or service account) of the request. See - https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - - 'authorizer.requestResource' - A CEL ResourceCheck + or service account) of the request.\n See + https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured - with the request resource. \n The `apiVersion`, + with the\n request resource.\n\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` - are always accessible from the root of the - object. No other metadata properties are - accessible. \n Only property names of the - form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are - accessible. Accessible property names are - escaped according to the following rules - when accessed in the expression: - '__' - escapes to '__underscores__' - '.' escapes - to '__dot__' - '-' escapes to '__dash__' - - '/' escapes to '__slash__' - Property - names that exactly match a CEL RESERVED - keyword escape to '__{keyword}__'. The keywords - are: \"true\", \"false\", \"null\", \"in\", - \"as\", \"break\", \"const\", \"continue\", - \"else\", \"for\", \"function\", \"if\", - \"import\", \"let\", \"loop\", \"package\", - \"namespace\", \"return\". Examples: - Expression - accessing a property named \"namespace\": - {\"Expression\": \"object.__namespace__ - > 0\"} - Expression accessing a property + are always accessible from the root of the\nobject. + No other metadata properties are accessible.\n\n\nOnly + property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` + are accessible.\nAccessible property names + are escaped according to the following rules + when accessed in the expression:\n- '__' + escapes to '__underscores__'\n- '.' escapes + to '__dot__'\n- '-' escapes to '__dash__'\n- + '/' escapes to '__slash__'\n- Property names + that exactly match a CEL RESERVED keyword + escape to '__{keyword}__'. The keywords + are:\n\t \"true\", \"false\", \"null\", + \"in\", \"as\", \"break\", \"const\", \"continue\", + \"else\", \"for\", \"function\", \"if\",\n\t + \ \"import\", \"let\", \"loop\", \"package\", + \"namespace\", \"return\".\nExamples:\n + \ - Expression accessing a property named + \"namespace\": {\"Expression\": \"object.__namespace__ + > 0\"}\n - Expression accessing a property named \"x-prop\": {\"Expression\": \"object.x__dash__prop - > 0\"} - Expression accessing a property + > 0\"}\n - Expression accessing a property named \"redact__d\": {\"Expression\": \"object.redact__underscores__d - > 0\"} \n Equality on arrays with list type - of 'set' or 'map' ignores element order, - i.e. [1, 2] == [2, 1]. Concatenation on + > 0\"}\n\n\nEquality on arrays with list + type of 'set' or 'map' ignores element order, + i.e. [1, 2] == [2, 1].\nConcatenation on arrays with x-kubernetes-list-type use the - semantics of the list type: - 'set': `X - + Y` performs a union where the array positions - of all elements in `X` are preserved and - non-intersecting elements in `Y` are appended, - retaining their partial order. - 'map': - `X + Y` performs a merge where the array - positions of all keys in `X` are preserved - but the values are overwritten by values - in `Y` when the key sets of `X` and `Y` - intersect. Elements in `Y` with non-intersecting - keys are appended, retaining their partial - order. Required." + semantics of the list type:\n - 'set': + `X + Y` performs a union where the array + positions of all elements in `X` are preserved + and\n non-intersecting elements in `Y` + are appended, retaining their partial order.\n + \ - 'map': `X + Y` performs a merge where + the array positions of all keys in `X` are + preserved but the values\n are overwritten + by values in `Y` when the key sets of `X` + and `Y` intersect. Elements in `Y` with\n + \ non-intersecting keys are appended, + retaining their partial order.\nRequired." type: string message: - description: 'Message represents the message - displayed when validation fails. The message - is required if the Expression contains line - breaks. The message must not contain line - breaks. If unset, the message is "failed - rule: {Rule}". e.g. "must be a URL with - the host matching spec.host" If the Expression - contains line breaks. Message is required. + description: |- + Message represents the message displayed when validation fails. The message is required if the Expression contains + line breaks. The message must not contain line breaks. + If unset, the message is "failed rule: {Rule}". + e.g. "must be a URL with the host matching spec.host" + If the Expression contains line breaks. Message is required. The message must not contain line breaks. - If unset, the message is "failed Expression: - {Expression}".' + If unset, the message is "failed Expression: {Expression}". type: string messageExpression: - description: 'messageExpression declares a - CEL expression that evaluates to the validation - failure message that is returned when this - rule fails. Since messageExpression is used - as a failure message, it must evaluate to - a string. If both message and messageExpression - are present on a validation, then messageExpression - will be used if validation fails. If messageExpression - results in a runtime error, the runtime - error is logged, and the validation failure - message is produced as if the messageExpression - field were unset. If messageExpression evaluates - to an empty string, a string with only spaces, - or a string that contains line breaks, then - the validation failure message will also - be produced as if the messageExpression - field were unset, and the fact that messageExpression - produced an empty string/string with only - spaces/string with line breaks will be logged. - messageExpression has access to all the - same variables as the `expression` except - for ''authorizer'' and ''authorizer.requestResource''. - Example: "object.x must be less than max - ("+string(params.max)+")"' + description: |- + messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. + Since messageExpression is used as a failure message, it must evaluate to a string. + If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. + If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced + as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string + that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and + the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. + messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'. + Example: + "object.x must be less than max ("+string(params.max)+")" type: string reason: - description: 'Reason represents a machine-readable - description of why this validation failed. - If this is the first validation in the list - to fail, this reason, as well as the corresponding - HTTP response code, are used in the HTTP - response to the client. The currently supported - reasons are: "Unauthorized", "Forbidden", - "Invalid", "RequestEntityTooLarge". If not - set, StatusReasonInvalid is used in the - response to the client.' + description: |- + Reason represents a machine-readable description of why this validation failed. + If this is the first validation in the list to fail, this reason, as well as the + corresponding HTTP response code, are used in the + HTTP response to the client. + The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge". + If not set, StatusReasonInvalid is used in the response to the client. type: string required: - expression @@ -7135,13 +6502,15 @@ spec: and Version. properties: apiVersion: - description: APIVersion is the API group version - the resources belong to. In format of "group/version". + description: |- + APIVersion is the API group version the resources belong to. + In format of "group/version". Required. type: string kind: - description: Kind is the API kind the resources - belong to. Required. + description: |- + Kind is the API kind the resources belong to. + Required. type: string type: object x-kubernetes-map-type: atomic @@ -7149,82 +6518,83 @@ spec: description: ParamRef references a parameter resource. properties: name: - description: "`name` is the name of the resource - being referenced. \n `name` and `selector` - are mutually exclusive properties. If one - is set, the other must be unset." + description: |- + `name` is the name of the resource being referenced. + + + `name` and `selector` are mutually exclusive properties. If one is set, + the other must be unset. type: string namespace: - description: "namespace is the namespace of - the referenced resource. Allows limiting the - search for params to a specific namespace. - Applies to both `name` and `selector` fields. - \n A per-namespace parameter may be used by - specifying a namespace-scoped `paramKind` - in the policy and leaving this field empty. - \n - If `paramKind` is cluster-scoped, this - field MUST be unset. Setting this field results - in a configuration error. \n - If `paramKind` - is namespace-scoped, the namespace of the - object being evaluated for admission will - be used when this field is left unset. Take - care that if this is left empty the binding - must not match any cluster-scoped resources, - which will result in an error." + description: |- + namespace is the namespace of the referenced resource. Allows limiting + the search for params to a specific namespace. Applies to both `name` and + `selector` fields. + + + A per-namespace parameter may be used by specifying a namespace-scoped + `paramKind` in the policy and leaving this field empty. + + + - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this + field results in a configuration error. + + + - If `paramKind` is namespace-scoped, the namespace of the object being + evaluated for admission will be used when this field is left unset. Take + care that if this is left empty the binding must not match any cluster-scoped + resources, which will result in an error. type: string parameterNotFoundAction: - description: "`parameterNotFoundAction` controls - the behavior of the binding when the resource - exists, and name or selector is valid, but - there are no parameters matched by the binding. - If the value is set to `Allow`, then no matched - parameters will be treated as successful validation - by the binding. If set to `Deny`, then no - matched parameters will be subject to the - `failurePolicy` of the policy. \n Allowed - values are `Allow` or `Deny` Default to `Deny`" + description: |- + `parameterNotFoundAction` controls the behavior of the binding when the resource + exists, and name or selector is valid, but there are no parameters + matched by the binding. If the value is set to `Allow`, then no + matched parameters will be treated as successful validation by the binding. + If set to `Deny`, then no matched parameters will be subject to the + `failurePolicy` of the policy. + + + Allowed values are `Allow` or `Deny` + Default to `Deny` type: string selector: - description: "selector can be used to match - multiple param objects based on their labels. - Supply selector: {} to match all resources - of the ParamKind. \n If multiple params are - found, they are all evaluated with the policy - expressions and the results are ANDed together. - \n One of `name` or `selector` must be set, - but `name` and `selector` are mutually exclusive - properties. If one is set, the other must - be unset." + description: |- + selector can be used to match multiple param objects based on their labels. + Supply selector: {} to match all resources of the ParamKind. + + + If multiple params are found, they are all evaluated with the policy expressions + and the results are ANDed together. + + + One of `name` or `selector` must be set, but `name` and `selector` are + mutually exclusive properties. If one is set, the other must be unset. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -7236,41 +6606,34 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object x-kubernetes-map-type: atomic variables: - description: Variables contain definitions of variables - that can be used in composition of other expressions. + description: |- + Variables contain definitions of variables that can be used in composition of other expressions. Each variable is defined as a named CEL expression. - The variables defined here will be available under - `variables` in other expressions of the policy. + The variables defined here will be available under `variables` in other expressions of the policy. items: description: Variable is the definition of a variable that is used for composition. properties: expression: - description: Expression is the expression - that will be evaluated as the value of the - variable. The CEL expression has access - to the same identifiers as the CEL expressions - in Validation. + description: |- + Expression is the expression that will be evaluated as the value of the variable. + The CEL expression has access to the same identifiers as the CEL expressions in Validation. type: string name: - description: Name is the name of the variable. - The name must be a valid CEL identifier - and unique among all variables. The variable - can be accessed in other expressions through - `variables` For example, if name is "foo", - the variable will be available as `variables.foo` + description: |- + Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables. + The variable can be accessed in other expressions through `variables` + For example, if name is "foo", the variable will be available as `variables.foo` type: string required: - expression @@ -7283,12 +6646,11 @@ spec: fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct list - of conditions (without `any` or `all` statements) - is also supported for backwards compatibility + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object foreach: @@ -7303,24 +6665,22 @@ spec: apply the specified logic. properties: anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must - be satisfied for the validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true context: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST @@ -7343,15 +6703,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -7366,25 +6723,23 @@ spec: to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web - service URL. A typical form is + description: |- + URL is the JSON web service URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string @@ -7404,9 +6759,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials @@ -7418,11 +6773,9 @@ spec: allows insecure access to a registry. type: boolean providers: - description: 'Providers specifies - a list of OCI Registry names, - whose authentication providers - are provided. It can be of one - of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -7436,25 +6789,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a - list of secrets that are provided - for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -7468,15 +6819,14 @@ spec: defined inline. properties: default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary @@ -7491,48 +6841,44 @@ spec: or fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct - list of conditions (without `any` or `all` - statements) is also supported for backwards - compatibility but will be deprecated in - the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object elementScope: - description: ElementScope specifies whether to - use the current list element as the scope for - validation. Defaults to "true" if not specified. - When set to "false", "request.object" is used - as the validation scope within the foreach block - to allow referencing other elements in the subtree. + description: |- + ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified. + When set to "false", "request.object" is used as the validation scope within the foreach + block to allow referencing other elements in the subtree. type: boolean foreach: description: Foreach declares a nested foreach iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which - the validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string pattern: description: Pattern specifies an overlay-style pattern used to check resources. x-kubernetes-preserve-unknown-fields: true preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -7547,14 +6893,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -7574,20 +6917,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -7602,14 +6943,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -7629,10 +6967,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -7655,31 +6992,25 @@ spec: items: properties: count: - description: Count specifies the required - number of entries that must match. If the - count is null, all entries must match (a - logical AND). If the count is 1, at least - one entry must match (a logical OR). If - the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or - a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set @@ -7700,21 +7031,14 @@ spec: used to verify. type: string ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -7722,36 +7046,25 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -7762,9 +7075,9 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless - attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: additionalProperties: @@ -7774,21 +7087,14 @@ spec: for keyless signing. type: object ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -7796,15 +7102,10 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -7812,24 +7113,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -7839,10 +7134,9 @@ spec: type: string type: object roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, - the system roots are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -7855,21 +7149,14 @@ spec: public keys. properties: ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -7877,63 +7164,41 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI - to the public key stored in a - Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable - reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -7969,12 +7234,9 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository - will override other OCI image repository - locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -8015,10 +7277,9 @@ spec: type: object type: array repository: - description: Repository is an optional alternate - OCI repository to use for resource bundle reference. - The repository can be overridden per Attestor - or Attestation. + description: |- + Repository is an optional alternate OCI repository to use for resource bundle reference. + The repository can be overridden per Attestor or Attestation. type: string type: object message: @@ -8030,9 +7291,9 @@ spec: used to check resources. x-kubernetes-preserve-unknown-fields: true podSecurity: - description: PodSecurity applies exemptions for Kubernetes - Pod Security admission by specifying exclusions for - Pod Security Standards controls. + description: |- + PodSecurity applies exemptions for Kubernetes Pod Security admission + by specifying exclusions for Pod Security Standards controls. properties: exclude: description: Exclude specifies the Pod Security @@ -8042,9 +7303,9 @@ spec: Pod Security Standard controls to be excluded. properties: controlName: - description: 'ControlName specifies the name - of the Pod Security Standard control. See: - https://kubernetes.io/docs/concepts/security/pod-security-standards/' + description: |- + ControlName specifies the name of the Pod Security Standard control. + See: https://kubernetes.io/docs/concepts/security/pod-security-standards/ enum: - HostProcess - Host Namespaces @@ -8063,14 +7324,11 @@ spec: - Running as Non-root user type: string images: - description: 'Images selects matching containers - and applies the container level PSS. Each - image is the image name consisting of the - registry address, repository, image, and - tag. Empty list matches no containers, PSS - checks are applied at the pod level only. - Wildcards (''*'' and ''?'') are allowed. - See: https://kubernetes.io/docs/concepts/containers/images.' + description: |- + Images selects matching containers and applies the container level PSS. + Each image is the image name consisting of the registry address, repository, image, and tag. + Empty list matches no containers, PSS checks are applied at the pod level only. + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -8079,19 +7337,18 @@ spec: type: object type: array level: - description: Level defines the Pod Security Standard - level to be applied to workloads. Allowed values - are privileged, baseline, and restricted. + description: |- + Level defines the Pod Security Standard level to be applied to workloads. + Allowed values are privileged, baseline, and restricted. enum: - privileged - baseline - restricted type: string version: - description: Version defines the Pod Security Standard - versions that Kubernetes supports. Allowed values - are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, - v1.25, v1.26, latest. Defaults to latest. + description: |- + Version defines the Pod Security Standard versions that Kubernetes supports. + Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, latest. Defaults to latest. enum: - v1.19 - v1.20 @@ -8109,10 +7366,10 @@ spec: description: VerifyImages is used to verify image signatures and mutate them to add a digest items: - description: ImageVerification validates that images that - match the specified pattern are signed with the supplied - public key. Once the image is verified it is mutated - to include the SHA digest retrieved during the registration. + description: |- + ImageVerification validates that images that match the specified pattern + are signed with the supplied public key. Once the image is verified it is + mutated to include the SHA digest retrieved during the registration. properties: additionalExtensions: additionalProperties: @@ -8126,17 +7383,15 @@ spec: instead. type: object attestations: - description: Attestations are optional checks for - signed in-toto Statements used to verify the image. - See https://github.com/in-toto/attestation. Kyverno - fetches signed attestations from the OCI registry - and decodes them into a list of Statement declarations. + description: |- + Attestations are optional checks for signed in-toto Statements used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statement declarations. items: - description: Attestation are checks for signed in-toto - Statements that are used to verify the image. - See https://github.com/in-toto/attestation. Kyverno - fetches signed attestations from the OCI registry - and decodes them into a list of Statements. + description: |- + Attestation are checks for signed in-toto Statements that are used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statements. properties: attestors: description: Attestors specify the required @@ -8144,33 +7399,25 @@ spec: items: properties: count: - description: Count specifies the required - number of entries that must match. If - the count is null, all entries must - match (a logical AND). If the count - is 1, at least one entry must match - (a logical OR). If the count contains - a value N, then N must be less than - or equal to the size of entries, and - at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static - key, attributes for keyless verification, - or a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used - for image verification. Every - specified key-value pair must - exist and match in the verified - payload. The payload may contain - other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested @@ -8191,23 +7438,14 @@ spec: certificates used to verify. type: string ctlog: - description: CTLog (certificate - timestamp log) provides a - configuration for validation - of Signed Certificate Timestamps - (SCTs). If the value is unset, - the default behavior by Cosign - is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp - (SCT) log to check for - a certificate timestamp. - Default is false. Set - to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if @@ -8216,27 +7454,16 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, - if set, is the PEM-encoded - certificate chain file - for the RFC3161 timestamp - authority. Must contain - the root CA certificate. - Optionally may contain - intermediate CA certificates, - and may contain the leaf - TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If an empty object is provided - the public instance of Rekor - (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog @@ -8244,13 +7471,9 @@ spec: verification. type: boolean pubkey: - description: RekorPubKey - is an optional PEM-encoded - public key to use for - a custom Rekor. If set, - this will be used to validate - transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the @@ -8261,9 +7484,9 @@ spec: type: object type: object keyless: - description: Keyless is a set of - attribute used to verify a Sigstore - keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: additionalProperties: @@ -8273,23 +7496,14 @@ spec: used for keyless signing. type: object ctlog: - description: CTLog (certificate - timestamp log) provides a - configuration for validation - of Signed Certificate Timestamps - (SCTs). If the value is unset, - the default behavior by Cosign - is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp - (SCT) log to check for - a certificate timestamp. - Default is false. Set - to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if @@ -8298,17 +7512,10 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, - if set, is the PEM-encoded - certificate chain file - for the RFC3161 timestamp - authority. Must contain - the root CA certificate. - Optionally may contain - intermediate CA certificates, - and may contain the leaf - TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -8316,13 +7523,9 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If an empty object is provided - the public instance of Rekor - (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog @@ -8330,13 +7533,9 @@ spec: verification. type: boolean pubkey: - description: RekorPubKey - is an optional PEM-encoded - public key to use for - a custom Rekor. If set, - this will be used to validate - transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the @@ -8346,11 +7545,9 @@ spec: type: string type: object roots: - description: Roots is an optional - set of PEM encoded trusted - root certificates. If not - provided, the system roots - are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the @@ -8364,23 +7561,14 @@ spec: or more public keys. properties: ctlog: - description: CTLog (certificate - timestamp log) provides a - configuration for validation - of Signed Certificate Timestamps - (SCTs). If the value is unset, - the default behavior by Cosign - is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp - (SCT) log to check for - a certificate timestamp. - Default is false. Set - to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if @@ -8389,56 +7577,32 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, - if set, is the PEM-encoded - certificate chain file - for the RFC3161 timestamp - authority. Must contain - the root CA certificate. - Optionally may contain - intermediate CA certificates, - and may contain the leaf - TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the - URI to the public key stored - in a Key Management System. - See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of - X.509 public keys used to - verify image signatures. The - keys can be directly specified - or can be a variable reference - to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a - separate staticKey entry (.attestors[*].entries.keys) - within the set of attestors - and the count is applied across - the keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If an empty object is provided - the public instance of Rekor - (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog @@ -8446,13 +7610,9 @@ spec: verification. type: boolean pubkey: - description: RekorPubKey - is an optional PEM-encoded - public key to use for - a custom Rekor. If set, - this will be used to validate - transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the @@ -8489,40 +7649,30 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use - for signatures and attestations - that match this rule. If specified - Repository will override other - OCI image repository locations - for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array type: object type: array conditions: - description: Conditions are used to verify attributes - within a Predicate. If no Conditions are specified - the attestation check is satisfied as long - there are predicates that match the predicate - type. + description: |- + Conditions are used to verify attributes within a Predicate. If no Conditions are specified + the attestation check is satisfied as long there are predicates that match the predicate type. items: - description: AnyAllConditions consists of - conditions wrapped denoting a logical criteria - to be fulfilled. AnyConditions get fulfilled - when at least one of its sub-conditions - passes. AllConditions get fulfilled only - when all of its sub-conditions pass. + description: |- + AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled. + AnyConditions get fulfilled when at least one of its sub-conditions passes. + AllConditions get fulfilled only when all of its sub-conditions pass. properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is - useful for finer control of when an - rule is applied. A condition can reference - object data using JMESPath notation. - Here, all of the conditions need to - pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -8537,14 +7687,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -8564,21 +7711,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is - useful for finer control of when an - rule is applied. A condition can reference - object data using JMESPath notation. - Here, at least one of the conditions - need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -8593,14 +7737,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -8620,10 +7761,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -8645,31 +7785,25 @@ spec: items: properties: count: - description: Count specifies the required number - of entries that must match. If the count is - null, all entries must match (a logical AND). - If the count is 1, at least one entry must - match (a logical OR). If the count contains - a value N, then N must be less than or equal - to the size of entries, and at least N entries - must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or a - nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set @@ -8690,21 +7824,14 @@ spec: used to verify. type: string ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior by - Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed Certificate - Timestamp (SCT) log to check - for a certificate timestamp. - Default is false. Set to true - if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -8712,35 +7839,25 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the - root CA certificate. Optionally - may contain intermediate CA - certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an - optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used to - validate transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -8751,8 +7868,8 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: @@ -8763,21 +7880,14 @@ spec: for keyless signing. type: object ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior by - Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed Certificate - Timestamp (SCT) log to check - for a certificate timestamp. - Default is false. Set to true - if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -8785,15 +7895,10 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the - root CA certificate. Optionally - may contain intermediate CA - certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -8801,23 +7906,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an - optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used to - validate transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -8827,10 +7927,9 @@ spec: type: string type: object roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, the - system roots are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -8843,21 +7942,14 @@ spec: public keys. properties: ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior by - Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed Certificate - Timestamp (SCT) log to check - for a certificate timestamp. - Default is false. Set to true - if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -8865,61 +7957,41 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the - root CA certificate. Optionally - may contain intermediate CA - certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI - to the public key stored in a Key - Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable reference - to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format "k8s:///". - The named Secret must specify a - key `cosign.pub` containing the - public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an - optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used to - validate transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -8954,12 +8026,9 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository will - override other OCI image repository - locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -8969,13 +8038,11 @@ spec: description: Deprecated. Use ImageReferences instead. type: string imageReferences: - description: 'ImageReferences is a list of matching - image reference patterns. At least one pattern in - the list must match the image for the rule to apply. - Each image reference consists of a registry address - (defaults to docker.io), repository, image, and - tag (defaults to latest). Wildcards (''*'' and ''?'') - are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' + description: |- + ImageReferences is a list of matching image reference patterns. At least one pattern in the + list must match the image for the rule to apply. Each image reference consists of a registry + address (defaults to docker.io), repository, image, and tag (defaults to latest). + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -8988,10 +8055,9 @@ spec: access to a registry. type: boolean providers: - description: 'Providers specifies a list of OCI - Registry names, whose authentication providers - are provided. It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers @@ -9005,9 +8071,9 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets - that are provided for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array @@ -9020,16 +8086,15 @@ spec: type: string mutateDigest: default: true - description: MutateDigest enables replacement of image - tags with digests. Defaults to true. + description: |- + MutateDigest enables replacement of image tags with digests. + Defaults to true. type: boolean repository: - description: Repository is an optional alternate OCI - repository to use for image signatures and attestations - that match this rule. If specified Repository will - override the default OCI image repository configured - for the installation. The repository can also be - overridden per Attestor or Attestation. + description: |- + Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule. + If specified Repository will override the default OCI image repository configured for the installation. + The repository can also be overridden per Attestor or Attestation. type: string required: default: true @@ -9044,9 +8109,9 @@ spec: description: Deprecated. Use KeylessAttestor instead. type: string type: - description: Type specifies the method of signature - validation. The allowed options are Cosign and Notary. - By default Cosign is used if a type is not specified. + description: |- + Type specifies the method of signature validation. The allowed options + are Cosign and Notary. By default Cosign is used if a type is not specified. enum: - Cosign - Notary @@ -9071,42 +8136,42 @@ spec: conditions: items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -9120,11 +8185,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -9140,8 +8206,9 @@ spec: description: Deprecated in favor of Conditions type: boolean rulecount: - description: RuleCountStatus contains four variables which describes - counts for validate, generate, mutate and verify images rules + description: |- + RuleCountStatus contains four variables which describes counts for + validate, generate, mutate and verify images rules properties: generate: description: Count for generate rules in policy @@ -9169,10 +8236,9 @@ spec: policy is generated from the policy or not type: boolean message: - description: Message is a human readable message indicating details - about the generation of validating admission policy It is an - empty string when validating admission policy is successfully - generated. + description: |- + Message is a human readable message indicating details about the generation of validating admission policy + It is an empty string when validating admission policy is successfully generated. type: string required: - generated @@ -9230,19 +8296,24 @@ spec: name: v2beta1 schema: openAPIV3Schema: - description: 'Policy declares validation, mutation, and generation behaviors - for matching resources. See: https://kyverno.io/docs/writing-policies/ for - more information.' + description: |- + Policy declares validation, mutation, and generation behaviors for matching resources. + See: https://kyverno.io/docs/writing-policies/ for more information. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -9251,94 +8322,98 @@ spec: properties: admission: default: true - description: Admission controls if rules are applied during admission. + description: |- + Admission controls if rules are applied during admission. Optional. Default value is "true". type: boolean applyRules: - description: ApplyRules controls how rules in a policy are applied. - Rule are processed in the order of declaration. When set to `One` - processing stops after a rule has been applied i.e. the rule matches - and results in a pass, fail, or error. When set to `All` all rules - in the policy are processed. The default is `All`. + description: |- + ApplyRules controls how rules in a policy are applied. Rule are processed in + the order of declaration. When set to `One` processing stops after a rule has + been applied i.e. the rule matches and results in a pass, fail, or error. When + set to `All` all rules in the policy are processed. The default is `All`. enum: - All - One type: string background: default: true - description: Background controls if rules are applied to existing - resources during a background scan. Optional. Default value is "true". - The value must be set to "false" if the policy rule uses variables - that are only available in the admission review request (e.g. user - name). + description: |- + Background controls if rules are applied to existing resources during a background scan. + Optional. Default value is "true". The value must be set to "false" if the policy rule + uses variables that are only available in the admission review request (e.g. user name). type: boolean failurePolicy: - description: FailurePolicy defines how unexpected policy errors and - webhook response timeout errors are handled. Rules within the same - policy share the same failure behavior. Allowed values are Ignore - or Fail. Defaults to Fail. + description: |- + FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. + Rules within the same policy share the same failure behavior. + Allowed values are Ignore or Fail. Defaults to Fail. enum: - Ignore - Fail type: string generateExisting: - description: GenerateExisting controls whether to trigger generate - rule in existing resources If is set to "true" generate rule will - be triggered and applied to existing matched resources. Defaults - to "false" if not specified. + description: |- + GenerateExisting controls whether to trigger generate rule in existing resources + If is set to "true" generate rule will be triggered and applied to existing matched resources. + Defaults to "false" if not specified. type: boolean generateExistingOnPolicyUpdate: description: Deprecated, use generateExisting instead type: boolean mutateExistingOnPolicyUpdate: - description: MutateExistingOnPolicyUpdate controls if a mutateExisting - policy is applied on policy events. Default value is "false". + description: |- + MutateExistingOnPolicyUpdate controls if a mutateExisting policy is applied on policy events. + Default value is "false". type: boolean rules: - description: Rules is a list of Rule instances. A Policy contains - multiple rules and each rule can validate, mutate, or generate resources. + description: |- + Rules is a list of Rule instances. A Policy contains multiple rules and + each rule can validate, mutate, or generate resources. items: - description: Rule defines a validation, mutation, or generation - control for matching resources. Each rules contains a match declaration - to select resources, and an optional exclude declaration to specify - which resources to exclude. + description: |- + Rule defines a validation, mutation, or generation control for matching resources. + Each rules contains a match declaration to select resources, and an optional exclude + declaration to specify which resources to exclude. properties: celPreconditions: - description: CELPreconditions are used to determine if a policy - rule should be applied by evaluating a set of CEL conditions. - It can only be used with the validate.cel subrule + description: |- + CELPreconditions are used to determine if a policy rule should be applied by evaluating a + set of CEL conditions. It can only be used with the validate.cel subrule items: description: MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook. properties: expression: - description: "Expression represents the expression which - will be evaluated by CEL. Must evaluate to bool. CEL - expressions have access to the contents of the AdmissionRequest - and Authorizer, organized into CEL variables: \n 'object' - - The object from the incoming request. The value is - null for DELETE requests. 'oldObject' - The existing - object. The value is null for CREATE requests. 'request' - - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). - 'authorizer' - A CEL Authorizer. May be used to perform - authorization checks for the principal (user or service - account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - 'authorizer.requestResource' - A CEL ResourceCheck constructed - from the 'authorizer' and configured with the request - resource. Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ - \n Required." + description: |- + Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. + CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: + + + 'object' - The object from the incoming request. The value is null for DELETE requests. + 'oldObject' - The existing object. The value is null for CREATE requests. + 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. + See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the + request resource. + Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ + + + Required. type: string name: - description: "Name is an identifier for this match condition, - used for strategic merging of MatchConditions, as well - as providing an identifier for logging purposes. A good - name should be descriptive of the associated expression. - Name must be a qualified name consisting of alphanumeric - characters, '-', '_' or '.', and must start and end - with an alphanumeric character (e.g. 'MyName', or 'my.name', - \ or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') - with an optional DNS subdomain prefix and '/' (e.g. - 'example.com/MyName') \n Required." + description: |- + Name is an identifier for this match condition, used for strategic merging of MatchConditions, + as well as providing an identifier for logging purposes. A good name should be descriptive of + the associated expression. + Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and + must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or + '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an + optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') + + + Required. type: string required: - expression @@ -9349,15 +8424,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data sources - to a rule Context. Either a ConfigMap reference or a APILookup - must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the Kubernetes - API server, or other JSON web service. The data returned - is stored in the context with the name for the context - entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data sent to @@ -9379,13 +8453,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the JSON response - returned from the server. For example a JMESPath - of "items | length(@)" applied to the API server - response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across - all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -9400,22 +8473,24 @@ spec: service properties: caBundle: - description: CABundle is a PEM encoded CA bundle - which will be used to validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web service URL. - A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to be used in - the HTTP GET or POST request to the Kubernetes API - server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used by the - `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -9432,8 +8507,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests to an OCI/Docker - V2 registry to fetch image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials provides credentials @@ -9444,10 +8520,9 @@ spec: access to a registry. type: boolean providers: - description: 'Providers specifies a list of OCI - Registry names, whose authentication providers - are provided. It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers @@ -9461,21 +8536,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets - that are provided for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the ImageData struct - returned as a result of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference to a container - image in the registry. Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -9488,13 +8565,14 @@ spec: variable that can be defined inline. properties: default: - description: Default is an optional arbitrary JSON - object that the variable may take if the JMESPath + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath Expression - that can be used to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON object representable @@ -9504,10 +8582,10 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when this policy rule - should not be applied. The exclude criteria can include resource - information (e.g. kind, name, namespace, labels) and admission - review request information like the name or role. + description: |- + ExcludeResources defines when this policy rule should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. properties: all: description: All allows specifying resources which will @@ -9529,11 +8607,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -9541,58 +8618,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -9605,20 +8673,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -9638,42 +8703,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -9686,12 +8744,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -9706,32 +8762,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -9762,11 +8813,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -9774,58 +8824,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -9838,20 +8879,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -9871,42 +8909,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -9919,12 +8950,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -9939,32 +8968,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -9983,10 +9007,10 @@ spec: description: APIVersion specifies resource apiVersion. type: string clone: - description: Clone specifies the source resource used to - populate each generated resource. At most one of Data - or Clone can be specified. If neither are provided, the - generated resource will be created with default data only. + description: |- + Clone specifies the source resource used to populate each generated resource. + At most one of Data or Clone can be specified. If neither are provided, the generated + resource will be created with default data only. properties: name: description: Name specifies name of the resource. @@ -10008,34 +9032,33 @@ spec: description: Namespace specifies source resource namespace. type: string selector: - description: Selector is a label selector. Label keys - and values in `matchLabels`. wildcard characters are - not supported. + description: |- + Selector is a label selector. Label keys and values in `matchLabels`. + wildcard characters are not supported. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -10047,21 +9070,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object data: - description: Data provides the resource declaration used - to populate each generated resource. At most one of Data - or Clone must be specified. If neither are provided, the - generated resource will be created with default data only. + description: |- + Data provides the resource declaration used to populate each generated resource. + At most one of Data or Clone must be specified. If neither are provided, the generated + resource will be created with default data only. x-kubernetes-preserve-unknown-fields: true kind: description: Kind specifies resource kind. @@ -10073,12 +9094,11 @@ spec: description: Namespace specifies resource namespace. type: string synchronize: - description: Synchronize controls if generated resources - should be kept in-sync with their source resource. If - Synchronize is set to "true" changes to generated resources - will be overwritten with resource data from Data or the - resource specified in the Clone declaration. Optional. - Defaults to "false" if not specified. + description: |- + Synchronize controls if generated resources should be kept in-sync with their source resource. + If Synchronize is set to "true" changes to generated resources will be overwritten with resource + data from Data or the resource specified in the Clone declaration. + Optional. Defaults to "false" if not specified. type: boolean uid: description: UID specifies the resource uid. @@ -10089,50 +9109,47 @@ spec: items: properties: jmesPath: - description: 'JMESPath is an optional JMESPath expression - to apply to the image value. This is useful when the - extracted image begins with a prefix like ''docker://''. - The ''trim_prefix'' function may be used to trim the - prefix: trim_prefix(@, ''docker://''). Note - Image - digest mutation may not be used when applying a JMESPAth - to an image.' + description: |- + JMESPath is an optional JMESPath expression to apply to the image value. + This is useful when the extracted image begins with a prefix like 'docker://'. + The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://'). + Note - Image digest mutation may not be used when applying a JMESPAth to an image. type: string key: - description: Key is an optional name of the field within - 'path' that will be used to uniquely identify an image. + description: |- + Key is an optional name of the field within 'path' that will be used to uniquely identify an image. Note - this field MUST be unique. type: string name: - description: Name is the entry the image will be available - under 'images.' in the context. If this field - is not defined, image entries will appear under 'images.custom'. + description: |- + Name is the entry the image will be available under 'images.' in the context. + If this field is not defined, image entries will appear under 'images.custom'. type: string path: - description: Path is the path to the object containing - the image field in a custom resource. It should be - slash-separated. Each slash-separated key must be - a valid YAML key or a wildcard '*'. Wildcard keys - are expanded in case of arrays or objects. + description: |- + Path is the path to the object containing the image field in a custom resource. + It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'. + Wildcard keys are expanded in case of arrays or objects. type: string value: - description: Value is an optional name of the field - within 'path' that points to the image URI. This is - useful when a custom 'key' is also defined. + description: |- + Value is an optional name of the field within 'path' that points to the image URI. + This is useful when a custom 'key' is also defined. type: string required: - path type: object type: array - description: ImageExtractors defines a mapping from kinds to - ImageExtractorConfigs. This config is only valid for verifyImages - rules. + description: |- + ImageExtractors defines a mapping from kinds to ImageExtractorConfigs. + This config is only valid for verifyImages rules. type: object match: - description: MatchResources defines when this policy rule should - be applied. The match criteria can include resource information - (e.g. kind, name, namespace, labels) and admission review - request information like the user name or role. At least one - kind is required. + description: |- + MatchResources defines when this policy rule should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. + At least one kind is required. properties: all: description: All allows specifying resources which will @@ -10154,11 +9171,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -10166,58 +9182,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -10230,20 +9237,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -10263,42 +9267,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -10311,12 +9308,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -10331,32 +9326,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -10387,11 +9377,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -10399,58 +9388,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -10463,20 +9443,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -10496,42 +9473,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -10544,12 +9514,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -10564,32 +9532,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -10618,15 +9581,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data @@ -10648,14 +9610,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -10670,25 +9630,24 @@ spec: JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate the server certificate. type: string url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -10706,8 +9665,8 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. properties: imageRegistryCredentials: @@ -10720,11 +9679,9 @@ spec: insecure access to a registry. type: boolean providers: - description: 'Providers specifies a - list of OCI Registry names, whose - authentication providers are provided. - It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -10738,23 +9695,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list - of secrets that are provided for credentials. + description: |- + Secrets specifies a list of secrets that are provided for credentials. Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -10767,15 +9724,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON @@ -10788,42 +9744,41 @@ spec: description: Foreach declares a nested foreach iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which the - validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string order: - description: Order defines the iteration order on - the list. Can be Ascending to iterate from first - to last element or Descending to iterate in from - last to first element. + description: |- + Order defines the iteration order on the list. + Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element. enum: - Ascending - Descending type: string patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge - patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 - JSON Patch declarations used to modify resources. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, all of the conditions need to - pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -10837,13 +9792,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -10863,20 +9816,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, at least one of the conditions - need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -10890,13 +9841,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -10916,10 +9865,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -10928,14 +9876,15 @@ spec: type: object type: array patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge patch - used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON - Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string targets: description: Targets defines the target resources to be @@ -10951,15 +9900,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data @@ -10981,14 +9929,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -11003,25 +9949,24 @@ spec: JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate the server certificate. type: string url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -11039,8 +9984,8 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. properties: imageRegistryCredentials: @@ -11053,11 +9998,9 @@ spec: insecure access to a registry. type: boolean providers: - description: 'Providers specifies a - list of OCI Registry names, whose - authentication providers are provided. - It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -11071,23 +10014,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list - of secrets that are provided for credentials. + description: |- + Secrets specifies a list of secrets that are provided for credentials. Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -11100,15 +10043,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON @@ -11127,13 +10069,12 @@ spec: description: Namespace specifies resource namespace. type: string preconditions: - description: 'Preconditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. A direct list - of conditions (without `any` or `all` statements - is supported for backwards compatibility but will - be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true uid: description: UID specifies the resource uid. @@ -11147,17 +10088,17 @@ spec: maxLength: 63 type: string preconditions: - description: 'Preconditions are used to determine if a policy - rule should be applied by evaluating a set of conditions. - The declaration can contain nested `any` or `all` statements. - See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based conditional - rule execution. This is useful for finer control of when - an rule is applied. A condition can reference object data - using JMESPath notation. Here, all of the conditions need - to pass. + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass. items: properties: key: @@ -11168,11 +10109,11 @@ spec: description: Message is an optional display message type: string operator: - description: 'Operator is the conditional operation - to perform. Valid operators are: Equals, NotEquals, - In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -11190,18 +10131,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, or set - of values. The values can be fixed set or can be - variables declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based conditional - rule execution. This is useful for finer control of when - an rule is applied. A condition can reference object data - using JMESPath notation. Here, at least one of the conditions - need to pass. + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass. items: properties: key: @@ -11212,11 +10153,11 @@ spec: description: Message is an optional display message type: string operator: - description: 'Operator is the conditional operation - to perform. Valid operators are: Equals, NotEquals, - In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -11234,27 +10175,27 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, or set - of values. The values can be fixed set or can be - variables declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array type: object skipBackgroundRequests: default: true - description: SkipBackgroundRequests bypasses admission requests - that are sent by the background controller. The default value - is set to "true", it must be set to "false" to apply generate - and mutateExisting rules to those requests. + description: |- + SkipBackgroundRequests bypasses admission requests that are sent by the background controller. + The default value is set to "true", it must be set to "false" to apply + generate and mutateExisting rules to those requests. type: boolean validate: description: Validation is used to validate matching resources. properties: anyPattern: - description: AnyPattern specifies list of validation patterns. - At least one of the patterns must be satisfied for the - validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true cel: description: CEL allows validation checks using the Common @@ -11269,39 +10210,45 @@ spec: an audit annotation for an API request. properties: key: - description: "key specifies the audit annotation - key. The audit annotation keys of a ValidatingAdmissionPolicy - must be unique. The key must be a qualified - name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than - 63 bytes in length. \n The key is combined with - the resource name of the ValidatingAdmissionPolicy - to construct an audit annotation key: \"{ValidatingAdmissionPolicy - name}/{key}\". \n If an admission webhook uses - the same resource name as this ValidatingAdmissionPolicy - and the same audit annotation key, the annotation - key will be identical. In this case, the first - annotation written with the key will be included - in the audit event and all subsequent annotations - with the same key will be discarded. \n Required." + description: |- + key specifies the audit annotation key. The audit annotation keys of + a ValidatingAdmissionPolicy must be unique. The key must be a qualified + name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length. + + + The key is combined with the resource name of the + ValidatingAdmissionPolicy to construct an audit annotation key: + "{ValidatingAdmissionPolicy name}/{key}". + + + If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy + and the same audit annotation key, the annotation key will be identical. + In this case, the first annotation written with the key will be included + in the audit event and all subsequent annotations with the same key + will be discarded. + + + Required. type: string valueExpression: - description: "valueExpression represents the expression - which is evaluated by CEL to produce an audit - annotation value. The expression must evaluate - to either a string or null value. If the expression - evaluates to a string, the audit annotation - is included with the string value. If the expression - evaluates to null or empty string the audit - annotation will be omitted. The valueExpression - may be no longer than 5kb in length. If the - result of the valueExpression is more than 10kb - in length, it will be truncated to 10kb. \n - If multiple ValidatingAdmissionPolicyBinding - resources match an API request, then the valueExpression - will be evaluated for each binding. All unique - values produced by the valueExpressions will - be joined together in a comma-separated list. - \n Required." + description: |- + valueExpression represents the expression which is evaluated by CEL to + produce an audit annotation value. The expression must evaluate to either + a string or null value. If the expression evaluates to a string, the + audit annotation is included with the string value. If the expression + evaluates to null or empty string the audit annotation will be omitted. + The valueExpression may be no longer than 5kb in length. + If the result of the valueExpression is more than 10kb in length, it + will be truncated to 10kb. + + + If multiple ValidatingAdmissionPolicyBinding resources match an + API request, then the valueExpression will be evaluated for + each binding. All unique values produced by the valueExpressions + will be joined together in a comma-separated list. + + + Required. type: string required: - key @@ -11317,113 +10264,99 @@ spec: properties: expression: description: "Expression represents the expression - which will be evaluated by CEL. ref: https://github.com/google/cel-spec - CEL expressions have access to the contents - of the API request/response, organized into - CEL variables as well as some other useful variables: - \n - 'object' - The object from the incoming - request. The value is null for DELETE requests. - - 'oldObject' - The existing object. The value - is null for CREATE requests. - 'request' - Attributes - of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - - 'params' - Parameter resource referred to - by the policy binding being evaluated. Only - populated if the policy has a ParamKind. - 'namespaceObject' + which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL + expressions have access to the contents of the + API request/response, organized into CEL variables + as well as some other useful variables:\n\n\n- + 'object' - The object from the incoming request. + The value is null for DELETE requests.\n- 'oldObject' + - The existing object. The value is null for + CREATE requests.\n- 'request' - Attributes of + the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- + 'params' - Parameter resource referred to by + the policy binding being evaluated. Only populated + if the policy has a ParamKind.\n- 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped - resources. - 'variables' - Map of composited + resources.\n- 'variables' - Map of composited variables, from its name to its lazily evaluated - value. For example, a variable named 'foo' can - be accessed as 'variables.foo'. - 'authorizer' + value.\n For example, a variable named 'foo' + can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) - of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - - 'authorizer.requestResource' - A CEL ResourceCheck + of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured - with the request resource. \n The `apiVersion`, + with the\n request resource.\n\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` - are always accessible from the root of the object. - No other metadata properties are accessible. - \n Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` - are accessible. Accessible property names are + are always accessible from the root of the\nobject. + No other metadata properties are accessible.\n\n\nOnly + property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` + are accessible.\nAccessible property names are escaped according to the following rules when - accessed in the expression: - '__' escapes to - '__underscores__' - '.' escapes to '__dot__' - - '-' escapes to '__dash__' - '/' escapes to - '__slash__' - Property names that exactly match + accessed in the expression:\n- '__' escapes + to '__underscores__'\n- '.' escapes to '__dot__'\n- + '-' escapes to '__dash__'\n- '/' escapes to + '__slash__'\n- Property names that exactly match a CEL RESERVED keyword escape to '__{keyword}__'. - The keywords are: \"true\", \"false\", \"null\", - \"in\", \"as\", \"break\", \"const\", \"continue\", - \"else\", \"for\", \"function\", \"if\", \"import\", - \"let\", \"loop\", \"package\", \"namespace\", - \"return\". Examples: - Expression accessing - a property named \"namespace\": {\"Expression\": - \"object.__namespace__ > 0\"} - Expression accessing - a property named \"x-prop\": {\"Expression\": - \"object.x__dash__prop > 0\"} - Expression accessing - a property named \"redact__d\": {\"Expression\": - \"object.redact__underscores__d > 0\"} \n Equality - on arrays with list type of 'set' or 'map' ignores - element order, i.e. [1, 2] == [2, 1]. Concatenation - on arrays with x-kubernetes-list-type use the - semantics of the list type: - 'set': `X + Y` - performs a union where the array positions of - all elements in `X` are preserved and non-intersecting + The keywords are:\n\t \"true\", \"false\", + \"null\", \"in\", \"as\", \"break\", \"const\", + \"continue\", \"else\", \"for\", \"function\", + \"if\",\n\t \"import\", \"let\", \"loop\", + \"package\", \"namespace\", \"return\".\nExamples:\n + \ - Expression accessing a property named \"namespace\": + {\"Expression\": \"object.__namespace__ > 0\"}\n + \ - Expression accessing a property named \"x-prop\": + {\"Expression\": \"object.x__dash__prop > 0\"}\n + \ - Expression accessing a property named \"redact__d\": + {\"Expression\": \"object.redact__underscores__d + > 0\"}\n\n\nEquality on arrays with list type + of 'set' or 'map' ignores element order, i.e. + [1, 2] == [2, 1].\nConcatenation on arrays with + x-kubernetes-list-type use the semantics of + the list type:\n - 'set': `X + Y` performs + a union where the array positions of all elements + in `X` are preserved and\n non-intersecting elements in `Y` are appended, retaining their - partial order. - 'map': `X + Y` performs a merge - where the array positions of all keys in `X` - are preserved but the values are overwritten - by values in `Y` when the key sets of `X` and - `Y` intersect. Elements in `Y` with non-intersecting - keys are appended, retaining their partial order. - Required." + partial order.\n - 'map': `X + Y` performs + a merge where the array positions of all keys + in `X` are preserved but the values\n are + overwritten by values in `Y` when the key sets + of `X` and `Y` intersect. Elements in `Y` with\n + \ non-intersecting keys are appended, retaining + their partial order.\nRequired." type: string message: - description: 'Message represents the message displayed - when validation fails. The message is required - if the Expression contains line breaks. The - message must not contain line breaks. If unset, - the message is "failed rule: {Rule}". e.g. "must - be a URL with the host matching spec.host" If - the Expression contains line breaks. Message - is required. The message must not contain line - breaks. If unset, the message is "failed Expression: - {Expression}".' + description: |- + Message represents the message displayed when validation fails. The message is required if the Expression contains + line breaks. The message must not contain line breaks. + If unset, the message is "failed rule: {Rule}". + e.g. "must be a URL with the host matching spec.host" + If the Expression contains line breaks. Message is required. + The message must not contain line breaks. + If unset, the message is "failed Expression: {Expression}". type: string messageExpression: - description: 'messageExpression declares a CEL - expression that evaluates to the validation - failure message that is returned when this rule - fails. Since messageExpression is used as a - failure message, it must evaluate to a string. - If both message and messageExpression are present - on a validation, then messageExpression will - be used if validation fails. If messageExpression - results in a runtime error, the runtime error - is logged, and the validation failure message - is produced as if the messageExpression field - were unset. If messageExpression evaluates to - an empty string, a string with only spaces, - or a string that contains line breaks, then - the validation failure message will also be - produced as if the messageExpression field were - unset, and the fact that messageExpression produced - an empty string/string with only spaces/string - with line breaks will be logged. messageExpression - has access to all the same variables as the - `expression` except for ''authorizer'' and ''authorizer.requestResource''. - Example: "object.x must be less than max ("+string(params.max)+")"' + description: |- + messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. + Since messageExpression is used as a failure message, it must evaluate to a string. + If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. + If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced + as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string + that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and + the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. + messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'. + Example: + "object.x must be less than max ("+string(params.max)+")" type: string reason: - description: 'Reason represents a machine-readable - description of why this validation failed. If - this is the first validation in the list to - fail, this reason, as well as the corresponding - HTTP response code, are used in the HTTP response - to the client. The currently supported reasons - are: "Unauthorized", "Forbidden", "Invalid", - "RequestEntityTooLarge". If not set, StatusReasonInvalid - is used in the response to the client.' + description: |- + Reason represents a machine-readable description of why this validation failed. + If this is the first validation in the list to fail, this reason, as well as the + corresponding HTTP response code, are used in the + HTTP response to the client. + The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge". + If not set, StatusReasonInvalid is used in the response to the client. type: string required: - expression @@ -11434,13 +10367,15 @@ spec: Version. properties: apiVersion: - description: APIVersion is the API group version - the resources belong to. In format of "group/version". + description: |- + APIVersion is the API group version the resources belong to. + In format of "group/version". Required. type: string kind: - description: Kind is the API kind the resources - belong to. Required. + description: |- + Kind is the API kind the resources belong to. + Required. type: string type: object x-kubernetes-map-type: atomic @@ -11448,77 +10383,82 @@ spec: description: ParamRef references a parameter resource. properties: name: - description: "`name` is the name of the resource - being referenced. \n `name` and `selector` are - mutually exclusive properties. If one is set, - the other must be unset." + description: |- + `name` is the name of the resource being referenced. + + + `name` and `selector` are mutually exclusive properties. If one is set, + the other must be unset. type: string namespace: - description: "namespace is the namespace of the - referenced resource. Allows limiting the search - for params to a specific namespace. Applies to - both `name` and `selector` fields. \n A per-namespace - parameter may be used by specifying a namespace-scoped - `paramKind` in the policy and leaving this field - empty. \n - If `paramKind` is cluster-scoped, - this field MUST be unset. Setting this field results - in a configuration error. \n - If `paramKind` - is namespace-scoped, the namespace of the object - being evaluated for admission will be used when - this field is left unset. Take care that if this - is left empty the binding must not match any cluster-scoped - resources, which will result in an error." + description: |- + namespace is the namespace of the referenced resource. Allows limiting + the search for params to a specific namespace. Applies to both `name` and + `selector` fields. + + + A per-namespace parameter may be used by specifying a namespace-scoped + `paramKind` in the policy and leaving this field empty. + + + - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this + field results in a configuration error. + + + - If `paramKind` is namespace-scoped, the namespace of the object being + evaluated for admission will be used when this field is left unset. Take + care that if this is left empty the binding must not match any cluster-scoped + resources, which will result in an error. type: string parameterNotFoundAction: - description: "`parameterNotFoundAction` controls - the behavior of the binding when the resource - exists, and name or selector is valid, but there - are no parameters matched by the binding. If the - value is set to `Allow`, then no matched parameters - will be treated as successful validation by the - binding. If set to `Deny`, then no matched parameters - will be subject to the `failurePolicy` of the - policy. \n Allowed values are `Allow` or `Deny` - Default to `Deny`" + description: |- + `parameterNotFoundAction` controls the behavior of the binding when the resource + exists, and name or selector is valid, but there are no parameters + matched by the binding. If the value is set to `Allow`, then no + matched parameters will be treated as successful validation by the binding. + If set to `Deny`, then no matched parameters will be subject to the + `failurePolicy` of the policy. + + + Allowed values are `Allow` or `Deny` + Default to `Deny` type: string selector: - description: "selector can be used to match multiple - param objects based on their labels. Supply selector: - {} to match all resources of the ParamKind. \n - If multiple params are found, they are all evaluated - with the policy expressions and the results are - ANDed together. \n One of `name` or `selector` - must be set, but `name` and `selector` are mutually - exclusive properties. If one is set, the other - must be unset." + description: |- + selector can be used to match multiple param objects based on their labels. + Supply selector: {} to match all resources of the ParamKind. + + + If multiple params are found, they are all evaluated with the policy expressions + and the results are ANDed together. + + + One of `name` or `selector` must be set, but `name` and `selector` are + mutually exclusive properties. If one is set, the other must be unset. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -11531,40 +10471,34 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object x-kubernetes-map-type: atomic variables: - description: Variables contain definitions of variables - that can be used in composition of other expressions. + description: |- + Variables contain definitions of variables that can be used in composition of other expressions. Each variable is defined as a named CEL expression. - The variables defined here will be available under - `variables` in other expressions of the policy. + The variables defined here will be available under `variables` in other expressions of the policy. items: description: Variable is the definition of a variable that is used for composition. properties: expression: - description: Expression is the expression that - will be evaluated as the value of the variable. - The CEL expression has access to the same identifiers - as the CEL expressions in Validation. + description: |- + Expression is the expression that will be evaluated as the value of the variable. + The CEL expression has access to the same identifiers as the CEL expressions in Validation. type: string name: - description: Name is the name of the variable. - The name must be a valid CEL identifier and - unique among all variables. The variable can - be accessed in other expressions through `variables` - For example, if name is "foo", the variable - will be available as `variables.foo` + description: |- + Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables. + The variable can be accessed in other expressions through `variables` + For example, if name is "foo", the variable will be available as `variables.foo` type: string required: - expression @@ -11577,14 +10511,15 @@ spec: a validation rule. properties: conditions: - description: 'Multiple conditions can be declared under - an `any` or `all` statement. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + description: |- + Multiple conditions can be declared under an `any` or `all` statement. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A condition - can reference object data using JMESPath notation. + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. Here, all of the conditions need to pass. items: properties: @@ -11597,13 +10532,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators are: - Equals, NotEquals, In, AnyIn, AllIn, NotIn, - AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -11621,17 +10554,17 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A condition - can reference object data using JMESPath notation. + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. Here, at least one of the conditions need to pass. items: properties: @@ -11644,13 +10577,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators are: - Equals, NotEquals, In, AnyIn, AllIn, NotIn, - AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -11668,9 +10599,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -11687,23 +10618,22 @@ spec: the specified logic. properties: anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must be satisfied - for the validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true context: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data @@ -11725,14 +10655,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -11747,25 +10675,24 @@ spec: JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate the server certificate. type: string url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -11783,8 +10710,8 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. properties: imageRegistryCredentials: @@ -11797,11 +10724,9 @@ spec: insecure access to a registry. type: boolean providers: - description: 'Providers specifies a - list of OCI Registry names, whose - authentication providers are provided. - It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -11815,23 +10740,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list - of secrets that are provided for credentials. + description: |- + Secrets specifies a list of secrets that are provided for credentials. Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -11844,15 +10769,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON @@ -11866,47 +10790,43 @@ spec: or fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct - list of conditions (without `any` or `all` statements) - is also supported for backwards compatibility + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object elementScope: - description: ElementScope specifies whether to use - the current list element as the scope for validation. - Defaults to "true" if not specified. When set to - "false", "request.object" is used as the validation - scope within the foreach block to allow referencing - other elements in the subtree. + description: |- + ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified. + When set to "false", "request.object" is used as the validation scope within the foreach + block to allow referencing other elements in the subtree. type: boolean foreach: description: Foreach declares a nested foreach iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which the - validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string pattern: description: Pattern specifies an overlay-style pattern used to check resources. x-kubernetes-preserve-unknown-fields: true preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, all of the conditions need to - pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -11920,13 +10840,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -11946,20 +10864,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, at least one of the conditions - need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -11973,13 +10889,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -11999,10 +10913,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -12024,31 +10937,25 @@ spec: items: properties: count: - description: Count specifies the required number - of entries that must match. If the count is - null, all entries must match (a logical AND). - If the count is 1, at least one entry must match - (a logical OR). If the count contains a value - N, then N must be less than or equal to the - size of entries, and at least N entries must - match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available attestors. - An attestor can be a static key, attributes - for keyless verification, or a nested attestor - declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for image - verification. Every specified key-value - pair must exist and match in the verified - payload. The payload may contain other - key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set of @@ -12069,19 +10976,14 @@ spec: to verify. type: string ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate Timestamps - (SCTs). If the value is unset, the - default behavior by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate - Timestamp (SCT) log to check for - a certificate timestamp. Default - is false. Set to true if this - was opted out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -12089,33 +10991,25 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the root - CA certificate. Optionally may - contain intermediate CA certificates, - and may contain the leaf TSA certificate - if not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use - for a custom Rekor. If set, this - will be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -12126,8 +11020,8 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: @@ -12138,19 +11032,14 @@ spec: signing. type: object ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate Timestamps - (SCTs). If the value is unset, the - default behavior by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate - Timestamp (SCT) log to check for - a certificate timestamp. Default - is false. Set to true if this - was opted out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -12158,14 +11047,10 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the root - CA certificate. Optionally may - contain intermediate CA certificates, - and may contain the leaf TSA certificate - if not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -12173,22 +11058,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use - for a custom Rekor. If set, this - will be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -12198,10 +11079,9 @@ spec: type: string type: object roots: - description: Roots is an optional set - of PEM encoded trusted root certificates. - If not provided, the system roots - are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -12214,19 +11094,14 @@ spec: public keys. properties: ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate Timestamps - (SCTs). If the value is unset, the - default behavior by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate - Timestamp (SCT) log to check for - a certificate timestamp. Default - is false. Set to true if this - was opted out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -12234,57 +11109,41 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the root - CA certificate. Optionally may - contain intermediate CA certificates, - and may contain the leaf TSA certificate - if not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI to - the public key stored in a Key Management - System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image signatures. - The keys can be directly specified - or can be a variable reference to - a key specified in a ConfigMap (see - https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster by - specifying it in the format "k8s:///". - The named Secret must specify a key - `cosign.pub` containing the public - key used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each - key is processed as a separate staticKey - entry (.attestors[*].entries.keys) - within the set of attestors and the - count is applied across the keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use - for a custom Rekor. If set, this - will be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -12318,12 +11177,9 @@ spec: type: string type: object repository: - description: Repository is an optional alternate - OCI repository to use for signatures and - attestations that match this rule. If - specified Repository will override other - OCI image repository locations for this - Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -12364,9 +11220,9 @@ spec: type: object type: array repository: - description: Repository is an optional alternate OCI - repository to use for resource bundle reference. The - repository can be overridden per Attestor or Attestation. + description: |- + Repository is an optional alternate OCI repository to use for resource bundle reference. + The repository can be overridden per Attestor or Attestation. type: string type: object message: @@ -12378,9 +11234,9 @@ spec: used to check resources. x-kubernetes-preserve-unknown-fields: true podSecurity: - description: PodSecurity applies exemptions for Kubernetes - Pod Security admission by specifying exclusions for Pod - Security Standards controls. + description: |- + PodSecurity applies exemptions for Kubernetes Pod Security admission + by specifying exclusions for Pod Security Standards controls. properties: exclude: description: Exclude specifies the Pod Security Standard @@ -12390,8 +11246,9 @@ spec: Security Standard controls to be excluded. properties: controlName: - description: 'ControlName specifies the name of - the Pod Security Standard control. See: https://kubernetes.io/docs/concepts/security/pod-security-standards/' + description: |- + ControlName specifies the name of the Pod Security Standard control. + See: https://kubernetes.io/docs/concepts/security/pod-security-standards/ enum: - HostProcess - Host Namespaces @@ -12410,13 +11267,11 @@ spec: - Running as Non-root user type: string images: - description: 'Images selects matching containers - and applies the container level PSS. Each image - is the image name consisting of the registry - address, repository, image, and tag. Empty list - matches no containers, PSS checks are applied - at the pod level only. Wildcards (''*'' and - ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' + description: |- + Images selects matching containers and applies the container level PSS. + Each image is the image name consisting of the registry address, repository, image, and tag. + Empty list matches no containers, PSS checks are applied at the pod level only. + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -12425,19 +11280,18 @@ spec: type: object type: array level: - description: Level defines the Pod Security Standard - level to be applied to workloads. Allowed values are - privileged, baseline, and restricted. + description: |- + Level defines the Pod Security Standard level to be applied to workloads. + Allowed values are privileged, baseline, and restricted. enum: - privileged - baseline - restricted type: string version: - description: Version defines the Pod Security Standard - versions that Kubernetes supports. Allowed values - are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, - v1.26, latest. Defaults to latest. + description: |- + Version defines the Pod Security Standard versions that Kubernetes supports. + Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, latest. Defaults to latest. enum: - v1.19 - v1.20 @@ -12455,22 +11309,21 @@ spec: description: VerifyImages is used to verify image signatures and mutate them to add a digest items: - description: ImageVerification validates that images that - match the specified pattern are signed with the supplied - public key. Once the image is verified it is mutated to - include the SHA digest retrieved during the registration. + description: |- + ImageVerification validates that images that match the specified pattern + are signed with the supplied public key. Once the image is verified it is + mutated to include the SHA digest retrieved during the registration. properties: attestations: - description: Attestations are optional checks for signed - in-toto Statements used to verify the image. See https://github.com/in-toto/attestation. - Kyverno fetches signed attestations from the OCI registry - and decodes them into a list of Statement declarations. + description: |- + Attestations are optional checks for signed in-toto Statements used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statement declarations. items: - description: Attestation are checks for signed in-toto - Statements that are used to verify the image. See - https://github.com/in-toto/attestation. Kyverno fetches - signed attestations from the OCI registry and decodes - them into a list of Statements. + description: |- + Attestation are checks for signed in-toto Statements that are used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statements. properties: attestors: description: Attestors specify the required attestors @@ -12478,31 +11331,25 @@ spec: items: properties: count: - description: Count specifies the required - number of entries that must match. If the - count is null, all entries must match (a - logical AND). If the count is 1, at least - one entry must match (a logical OR). If - the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or - a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set @@ -12523,21 +11370,14 @@ spec: used to verify. type: string ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -12545,36 +11385,25 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -12585,9 +11414,9 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless - attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: additionalProperties: @@ -12597,21 +11426,14 @@ spec: for keyless signing. type: object ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -12619,15 +11441,10 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -12635,24 +11452,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -12662,10 +11473,9 @@ spec: type: string type: object roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, - the system roots are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -12678,21 +11488,14 @@ spec: public keys. properties: ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -12700,63 +11503,41 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI - to the public key stored in a - Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable - reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -12792,37 +11573,30 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository - will override other OCI image repository - locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array type: object type: array conditions: - description: Conditions are used to verify attributes - within a Predicate. If no Conditions are specified - the attestation check is satisfied as long there - are predicates that match the predicate type. + description: |- + Conditions are used to verify attributes within a Predicate. If no Conditions are specified + the attestation check is satisfied as long there are predicates that match the predicate type. items: - description: AnyAllConditions consists of conditions - wrapped denoting a logical criteria to be fulfilled. - AnyConditions get fulfilled when at least one - of its sub-conditions passes. AllConditions - get fulfilled only when all of its sub-conditions - pass. + description: |- + AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled. + AnyConditions get fulfilled when at least one of its sub-conditions passes. + AllConditions get fulfilled only when all of its sub-conditions pass. properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -12837,14 +11611,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -12864,20 +11635,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -12892,14 +11661,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -12919,10 +11685,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -12944,29 +11709,25 @@ spec: items: properties: count: - description: Count specifies the required number - of entries that must match. If the count is null, - all entries must match (a logical AND). If the - count is 1, at least one entry must match (a logical - OR). If the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available attestors. - An attestor can be a static key, attributes for - keyless verification, or a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for image - verification. Every specified key-value - pair must exist and match in the verified - payload. The payload may contain other key-value - pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set of Attestor @@ -12987,19 +11748,14 @@ spec: to verify. type: string ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for validation - of Signed Certificate Timestamps (SCTs). - If the value is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate Timestamp - (SCT) log to check for a certificate - timestamp. Default is false. Set - to true if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is used @@ -13007,33 +11763,25 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate chain - file for the RFC3161 timestamp authority. - Must contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use for - a custom Rekor. If set, this will - be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address of @@ -13043,8 +11791,8 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: @@ -13055,19 +11803,14 @@ spec: signing. type: object ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for validation - of Signed Certificate Timestamps (SCTs). - If the value is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate Timestamp - (SCT) log to check for a certificate - timestamp. Default is false. Set - to true if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is used @@ -13075,14 +11818,10 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate chain - file for the RFC3161 timestamp authority. - Must contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -13090,22 +11829,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use for - a custom Rekor. If set, this will - be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address of @@ -13114,10 +11849,9 @@ spec: type: string type: object roots: - description: Roots is an optional set - of PEM encoded trusted root certificates. - If not provided, the system roots are - used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified identity @@ -13130,19 +11864,14 @@ spec: keys. properties: ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for validation - of Signed Certificate Timestamps (SCTs). - If the value is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate Timestamp - (SCT) log to check for a certificate - timestamp. Default is false. Set - to true if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is used @@ -13150,56 +11879,41 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate chain - file for the RFC3161 timestamp authority. - Must contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI to - the public key stored in a Key Management - System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 public - keys used to verify image signatures. - The keys can be directly specified or - can be a variable reference to a key - specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes Secret - elsewhere in the cluster by specifying - it in the format "k8s:///". - The named Secret must specify a key - `cosign.pub` containing the public key - used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each - key is processed as a separate staticKey - entry (.attestors[*].entries.keys) within - the set of attestors and the count is - applied across the keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use for - a custom Rekor. If set, this will - be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address of @@ -13232,24 +11946,20 @@ spec: type: string type: object repository: - description: Repository is an optional alternate - OCI repository to use for signatures and - attestations that match this rule. If specified - Repository will override other OCI image - repository locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array type: object type: array imageReferences: - description: 'ImageReferences is a list of matching image - reference patterns. At least one pattern in the list - must match the image for the rule to apply. Each image - reference consists of a registry address (defaults to - docker.io), repository, image, and tag (defaults to - latest). Wildcards (''*'' and ''?'') are allowed. See: - https://kubernetes.io/docs/concepts/containers/images.' + description: |- + ImageReferences is a list of matching image reference patterns. At least one pattern in the + list must match the image for the rule to apply. Each image reference consists of a registry + address (defaults to docker.io), repository, image, and tag (defaults to latest). + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -13262,9 +11972,9 @@ spec: access to a registry. type: boolean providers: - description: 'Providers specifies a list of OCI Registry - names, whose authentication providers are provided. - It can be of one of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers required. @@ -13277,25 +11987,24 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets that - are provided for credentials. Secrets must live - in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object mutateDigest: default: true - description: MutateDigest enables replacement of image - tags with digests. Defaults to true. + description: |- + MutateDigest enables replacement of image tags with digests. + Defaults to true. type: boolean repository: - description: Repository is an optional alternate OCI repository - to use for image signatures and attestations that match - this rule. If specified Repository will override the - default OCI image repository configured for the installation. - The repository can also be overridden per Attestor or - Attestation. + description: |- + Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule. + If specified Repository will override the default OCI image repository configured for the installation. + The repository can also be overridden per Attestor or Attestation. type: string required: default: true @@ -13304,9 +12013,9 @@ spec: check. type: boolean type: - description: Type specifies the method of signature validation. - The allowed options are Cosign and Notary. By default - Cosign is used if a type is not specified. + description: |- + Type specifies the method of signature validation. The allowed options + are Cosign and Notary. By default Cosign is used if a type is not specified. enum: - Cosign - Notary @@ -13328,23 +12037,23 @@ spec: type: object type: array schemaValidation: - description: SchemaValidation skips validation checks for policies - as well as patched resources. Optional. The default value is set - to "true", it must be set to "false" to disable the validation checks. + description: |- + SchemaValidation skips validation checks for policies as well as patched resources. + Optional. The default value is set to "true", it must be set to "false" to disable the validation checks. type: boolean useServerSideApply: - description: UseServerSideApply controls whether to use server-side - apply for generate rules If is set to "true" create & update for - generate rules will use apply instead of create/update. Defaults - to "false" if not specified. + description: |- + UseServerSideApply controls whether to use server-side apply for generate rules + If is set to "true" create & update for generate rules will use apply instead of create/update. + Defaults to "false" if not specified. type: boolean validationFailureAction: default: Audit - description: ValidationFailureAction defines if a validation policy - rule violation should block the admission review request (enforce), - or allow (audit) the admission review request and report an error - in a policy report. Optional. Allowed values are audit or enforce. - The default value is "Audit". + description: |- + ValidationFailureAction defines if a validation policy rule violation should block + the admission review request (enforce), or allow (audit) the admission review request + and report an error in a policy report. Optional. + Allowed values are audit or enforce. The default value is "Audit". enum: - audit - enforce @@ -13352,9 +12061,9 @@ spec: - Enforce type: string validationFailureActionOverrides: - description: ValidationFailureActionOverrides is a Cluster Policy - attribute that specifies ValidationFailureAction namespace-wise. - It overrides ValidationFailureAction for the specified namespaces. + description: |- + ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction + namespace-wise. It overrides ValidationFailureAction for the specified namespaces. items: properties: action: @@ -13367,34 +12076,34 @@ spec: - Enforce type: string namespaceSelector: - description: A label selector is a label query over a set of - resources. The result of matchLabels and matchExpressions - are ANDed. An empty label selector matches all objects. A - null label selector matches no objects. + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. - If the operator is In or NotIn, the values array - must be non-empty. If the operator is Exists or - DoesNotExist, the values array must be empty. This - array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -13406,11 +12115,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -13421,11 +12129,10 @@ spec: type: object type: array webhookTimeoutSeconds: - description: WebhookTimeoutSeconds specifies the maximum time in seconds - allowed to apply this policy. After the configured time expires, - the admission request may fail, or may simply ignore the policy - results, based on the failure policy. The default timeout is 10s, - the value must be between 1 and 30 seconds. + description: |- + WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. + After the configured time expires, the admission request may fail, or may simply ignore the policy results, + based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds. format: int32 type: integer type: object @@ -13439,51 +12146,49 @@ spec: description: Rules is a list of Rule instances. It contains auto generated rules added for pod controllers items: - description: Rule defines a validation, mutation, or generation - control for matching resources. Each rules contains a match - declaration to select resources, and an optional exclude declaration - to specify which resources to exclude. + description: |- + Rule defines a validation, mutation, or generation control for matching resources. + Each rules contains a match declaration to select resources, and an optional exclude + declaration to specify which resources to exclude. properties: celPreconditions: - description: CELPreconditions are used to determine if a - policy rule should be applied by evaluating a set of CEL - conditions. It can only be used with the validate.cel - subrule + description: |- + CELPreconditions are used to determine if a policy rule should be applied by evaluating a + set of CEL conditions. It can only be used with the validate.cel subrule items: description: MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook. properties: expression: - description: "Expression represents the expression - which will be evaluated by CEL. Must evaluate to - bool. CEL expressions have access to the contents - of the AdmissionRequest and Authorizer, organized - into CEL variables: \n 'object' - The object from - the incoming request. The value is null for DELETE - requests. 'oldObject' - The existing object. The - value is null for CREATE requests. 'request' - Attributes - of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). - 'authorizer' - A CEL Authorizer. May be used to - perform authorization checks for the principal (user - or service account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - 'authorizer.requestResource' - A CEL ResourceCheck - constructed from the 'authorizer' and configured - with the request resource. Documentation on CEL: - https://kubernetes.io/docs/reference/using-api/cel/ - \n Required." + description: |- + Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. + CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: + + + 'object' - The object from the incoming request. The value is null for DELETE requests. + 'oldObject' - The existing object. The value is null for CREATE requests. + 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. + See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the + request resource. + Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ + + + Required. type: string name: - description: "Name is an identifier for this match - condition, used for strategic merging of MatchConditions, - as well as providing an identifier for logging purposes. - A good name should be descriptive of the associated - expression. Name must be a qualified name consisting - of alphanumeric characters, '-', '_' or '.', and - must start and end with an alphanumeric character - (e.g. 'MyName', or 'my.name', or '123-abc', regex - used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') - with an optional DNS subdomain prefix and '/' (e.g. - 'example.com/MyName') \n Required." + description: |- + Name is an identifier for this match condition, used for strategic merging of MatchConditions, + as well as providing an identifier for logging purposes. A good name should be descriptive of + the associated expression. + Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and + must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or + '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an + optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') + + + Required. type: string required: - expression @@ -13494,15 +12199,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data sources - to a rule Context. Either a ConfigMap reference or a - APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the Kubernetes - API server, or other JSON web service. The data - returned is stored in the context with the name - for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data sent @@ -13524,13 +12228,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON Match - Expression that can be used to transform the - JSON response returned from the server. For - example a JMESPath of "items | length(@)" applied - to the API server response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across - all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -13545,23 +12248,24 @@ spec: web service properties: caBundle: - description: CABundle is a PEM encoded CA - bundle which will be used to validate the - server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web service URL. - A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to be used - in the HTTP GET or POST request to the Kubernetes - API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used - by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -13578,8 +12282,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests to an - OCI/Docker V2 registry to fetch image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials provides @@ -13591,10 +12296,9 @@ spec: insecure access to a registry. type: boolean providers: - description: 'Providers specifies a list of - OCI Registry names, whose authentication - providers are provided. It can be of one - of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers @@ -13608,23 +12312,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets - that are provided for credentials. Secrets - must live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON Match - Expression that can be used to transform the - ImageData struct returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference to - a container image in the registry. Example: - ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -13637,14 +12341,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take if the - JMESPath expression evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform the - variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON object @@ -13654,11 +12358,10 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when this policy rule - should not be applied. The exclude criteria can include - resource information (e.g. kind, name, namespace, labels) - and admission review request information like the name - or role. + description: |- + ExcludeResources defines when this policy rule should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. properties: all: description: All allows specifying resources which will @@ -13680,10 +12383,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -13692,60 +12394,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -13758,20 +12449,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -13792,44 +12480,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -13842,12 +12521,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -13862,36 +12539,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -13921,10 +12590,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -13933,60 +12601,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -13999,20 +12656,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -14033,44 +12687,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -14083,12 +12728,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -14103,36 +12746,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -14149,21 +12784,19 @@ spec: type: string type: array resources: - description: ResourceDescription contains information - about the resource being created or modified. Requires - at least one tag to be specified when under MatchResources. - Specifying ResourceDescription directly under match - is being deprecated. Please specify under "any" or - "all" instead. + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" - (matches zero or many characters) and "?" (matches - at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -14171,57 +12804,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated in - favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key and - value but does not match an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -14234,20 +12859,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -14267,42 +12889,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) - and `?` (matches one character). Wildcards allows - writing label selectors like ["storage.k8s.io/*": - "*"]. Note that using ["*" : "*"] matches any - key and value but does not match an empty label - set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -14315,12 +12930,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -14335,32 +12948,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or - a value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the - referenced subject. Defaults to "" for ServiceAccount - subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the - Authorizer should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -14376,11 +12985,10 @@ spec: description: APIVersion specifies resource apiVersion. type: string clone: - description: Clone specifies the source resource used - to populate each generated resource. At most one of - Data or Clone can be specified. If neither are provided, - the generated resource will be created with default - data only. + description: |- + Clone specifies the source resource used to populate each generated resource. + At most one of Data or Clone can be specified. If neither are provided, the generated + resource will be created with default data only. properties: name: description: Name specifies name of the resource. @@ -14404,37 +13012,33 @@ spec: namespace. type: string selector: - description: Selector is a label selector. Label - keys and values in `matchLabels`. wildcard characters - are not supported. + description: |- + Selector is a label selector. Label keys and values in `matchLabels`. + wildcard characters are not supported. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -14447,22 +13051,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object data: - description: Data provides the resource declaration - used to populate each generated resource. At most - one of Data or Clone must be specified. If neither - are provided, the generated resource will be created - with default data only. + description: |- + Data provides the resource declaration used to populate each generated resource. + At most one of Data or Clone must be specified. If neither are provided, the generated + resource will be created with default data only. x-kubernetes-preserve-unknown-fields: true kind: description: Kind specifies resource kind. @@ -14474,11 +13075,10 @@ spec: description: Namespace specifies resource namespace. type: string synchronize: - description: Synchronize controls if generated resources - should be kept in-sync with their source resource. - If Synchronize is set to "true" changes to generated - resources will be overwritten with resource data from - Data or the resource specified in the Clone declaration. + description: |- + Synchronize controls if generated resources should be kept in-sync with their source resource. + If Synchronize is set to "true" changes to generated resources will be overwritten with resource + data from Data or the resource specified in the Clone declaration. Optional. Defaults to "false" if not specified. type: boolean uid: @@ -14490,50 +13090,46 @@ spec: items: properties: jmesPath: - description: 'JMESPath is an optional JMESPath expression - to apply to the image value. This is useful when - the extracted image begins with a prefix like - ''docker://''. The ''trim_prefix'' function may - be used to trim the prefix: trim_prefix(@, ''docker://''). - Note - Image digest mutation may not be used when - applying a JMESPAth to an image.' + description: |- + JMESPath is an optional JMESPath expression to apply to the image value. + This is useful when the extracted image begins with a prefix like 'docker://'. + The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://'). + Note - Image digest mutation may not be used when applying a JMESPAth to an image. type: string key: - description: Key is an optional name of the field - within 'path' that will be used to uniquely identify - an image. Note - this field MUST be unique. + description: |- + Key is an optional name of the field within 'path' that will be used to uniquely identify an image. + Note - this field MUST be unique. type: string name: - description: Name is the entry the image will be - available under 'images.' in the context. - If this field is not defined, image entries will - appear under 'images.custom'. + description: |- + Name is the entry the image will be available under 'images.' in the context. + If this field is not defined, image entries will appear under 'images.custom'. type: string path: - description: Path is the path to the object containing - the image field in a custom resource. It should - be slash-separated. Each slash-separated key must - be a valid YAML key or a wildcard '*'. Wildcard - keys are expanded in case of arrays or objects. + description: |- + Path is the path to the object containing the image field in a custom resource. + It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'. + Wildcard keys are expanded in case of arrays or objects. type: string value: - description: Value is an optional name of the field - within 'path' that points to the image URI. This - is useful when a custom 'key' is also defined. + description: |- + Value is an optional name of the field within 'path' that points to the image URI. + This is useful when a custom 'key' is also defined. type: string required: - path type: object type: array - description: ImageExtractors defines a mapping from kinds - to ImageExtractorConfigs. This config is only valid for - verifyImages rules. + description: |- + ImageExtractors defines a mapping from kinds to ImageExtractorConfigs. + This config is only valid for verifyImages rules. type: object match: - description: MatchResources defines when this policy rule - should be applied. The match criteria can include resource - information (e.g. kind, name, namespace, labels) and admission - review request information like the user name or role. + description: |- + MatchResources defines when this policy rule should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. At least one kind is required. properties: all: @@ -14556,10 +13152,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -14568,60 +13163,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -14634,20 +13218,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -14668,44 +13249,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -14718,12 +13290,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -14738,36 +13308,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -14797,10 +13359,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -14809,60 +13370,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -14875,20 +13425,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -14909,44 +13456,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -14959,12 +13497,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -14979,36 +13515,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -15025,21 +13553,19 @@ spec: type: string type: array resources: - description: ResourceDescription contains information - about the resource being created or modified. Requires - at least one tag to be specified when under MatchResources. - Specifying ResourceDescription directly under match - is being deprecated. Please specify under "any" or - "all" instead. + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" - (matches zero or many characters) and "?" (matches - at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -15047,57 +13573,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated in - favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key and - value but does not match an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -15110,20 +13628,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -15143,42 +13658,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) - and `?` (matches one character). Wildcards allows - writing label selectors like ["storage.k8s.io/*": - "*"]. Note that using ["*" : "*"] matches any - key and value but does not match an empty label - set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -15191,12 +13699,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -15211,32 +13717,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or - a value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the - referenced subject. Defaults to "" for ServiceAccount - subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the - Authorizer should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -15263,16 +13765,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST @@ -15295,15 +13795,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -15318,25 +13815,23 @@ spec: to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web - service URL. A typical form is + description: |- + URL is the JSON web service URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string @@ -15356,9 +13851,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials @@ -15370,11 +13865,9 @@ spec: allows insecure access to a registry. type: boolean providers: - description: 'Providers specifies - a list of OCI Registry names, - whose authentication providers - are provided. It can be of one - of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -15388,25 +13881,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a - list of secrets that are provided - for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -15420,15 +13911,14 @@ spec: defined inline. properties: default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary @@ -15443,43 +13933,41 @@ spec: iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which - the validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string order: - description: Order defines the iteration order - on the list. Can be Ascending to iterate from - first to last element or Descending to iterate - in from last to first element. + description: |- + Order defines the iteration order on the list. + Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element. enum: - Ascending - Descending type: string patchStrategicMerge: - description: PatchStrategicMerge is a strategic - merge patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC - 6902 JSON Patch declarations used to modify - resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -15494,14 +13982,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -15521,20 +14006,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -15549,14 +14032,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -15576,10 +14056,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -15588,14 +14067,15 @@ spec: type: object type: array patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge - patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON - Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string targets: description: Targets defines the target resources to @@ -15611,16 +14091,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST @@ -15643,15 +14121,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -15666,25 +14141,23 @@ spec: to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web - service URL. A typical form is + description: |- + URL is the JSON web service URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string @@ -15704,9 +14177,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials @@ -15718,11 +14191,9 @@ spec: allows insecure access to a registry. type: boolean providers: - description: 'Providers specifies - a list of OCI Registry names, - whose authentication providers - are provided. It can be of one - of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -15736,25 +14207,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a - list of secrets that are provided - for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -15768,15 +14237,14 @@ spec: defined inline. properties: default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary @@ -15796,14 +14264,12 @@ spec: description: Namespace specifies resource namespace. type: string preconditions: - description: 'Preconditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. A direct list - of conditions (without `any` or `all` statements - is supported for backwards compatibility but + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/preconditions/' + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true uid: description: UID specifies the resource uid. @@ -15817,27 +14283,32 @@ spec: maxLength: 63 type: string preconditions: - description: 'Preconditions are used to determine if a policy - rule should be applied by evaluating a set of conditions. - The declaration can contain nested `any` or `all` statements. - A direct list of conditions (without `any` or `all` statements - is supported for backwards compatibility but will be deprecated - in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true skipBackgroundRequests: default: true - description: SkipBackgroundRequests bypasses admission requests - that are sent by the background controller. The default - value is set to "true", it must be set to "false" to apply + description: |- + SkipBackgroundRequests bypasses admission requests that are sent by the background controller. + The default value is set to "true", it must be set to "false" to apply generate and mutateExisting rules to those requests. type: boolean validate: description: Validation is used to validate matching resources. properties: + allowExistingViolations: + default: true + description: AllowExistingViolations allows prexisting + violating resources to continue violating a policy. + type: boolean anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must be satisfied - for the validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true cel: description: CEL allows validation checks using the @@ -15852,41 +14323,45 @@ spec: produce an audit annotation for an API request. properties: key: - description: "key specifies the audit annotation - key. The audit annotation keys of a ValidatingAdmissionPolicy - must be unique. The key must be a qualified - name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more - than 63 bytes in length. \n The key is combined - with the resource name of the ValidatingAdmissionPolicy - to construct an audit annotation key: \"{ValidatingAdmissionPolicy - name}/{key}\". \n If an admission webhook - uses the same resource name as this ValidatingAdmissionPolicy - and the same audit annotation key, the annotation - key will be identical. In this case, the - first annotation written with the key will - be included in the audit event and all subsequent - annotations with the same key will be discarded. - \n Required." + description: |- + key specifies the audit annotation key. The audit annotation keys of + a ValidatingAdmissionPolicy must be unique. The key must be a qualified + name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length. + + + The key is combined with the resource name of the + ValidatingAdmissionPolicy to construct an audit annotation key: + "{ValidatingAdmissionPolicy name}/{key}". + + + If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy + and the same audit annotation key, the annotation key will be identical. + In this case, the first annotation written with the key will be included + in the audit event and all subsequent annotations with the same key + will be discarded. + + + Required. type: string valueExpression: - description: "valueExpression represents the - expression which is evaluated by CEL to - produce an audit annotation value. The expression - must evaluate to either a string or null - value. If the expression evaluates to a - string, the audit annotation is included - with the string value. If the expression - evaluates to null or empty string the audit - annotation will be omitted. The valueExpression - may be no longer than 5kb in length. If - the result of the valueExpression is more - than 10kb in length, it will be truncated - to 10kb. \n If multiple ValidatingAdmissionPolicyBinding - resources match an API request, then the - valueExpression will be evaluated for each - binding. All unique values produced by the - valueExpressions will be joined together - in a comma-separated list. \n Required." + description: |- + valueExpression represents the expression which is evaluated by CEL to + produce an audit annotation value. The expression must evaluate to either + a string or null value. If the expression evaluates to a string, the + audit annotation is included with the string value. If the expression + evaluates to null or empty string the audit annotation will be omitted. + The valueExpression may be no longer than 5kb in length. + If the result of the valueExpression is more than 10kb in length, it + will be truncated to 10kb. + + + If multiple ValidatingAdmissionPolicyBinding resources match an + API request, then the valueExpression will be evaluated for + each binding. All unique values produced by the valueExpressions + will be joined together in a comma-separated list. + + + Required. type: string required: - key @@ -15902,124 +14377,104 @@ spec: properties: expression: description: "Expression represents the expression - which will be evaluated by CEL. ref: https://github.com/google/cel-spec - CEL expressions have access to the contents + which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL + expressions have access to the contents of the API request/response, organized into CEL variables as well as some other useful - variables: \n - 'object' - The object from - the incoming request. The value is null - for DELETE requests. - 'oldObject' - The - existing object. The value is null for CREATE - requests. - 'request' - Attributes of the - API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - - 'params' - Parameter resource referred - to by the policy binding being evaluated. - Only populated if the policy has a ParamKind. - - 'namespaceObject' - The namespace object + variables:\n\n\n- 'object' - The object + from the incoming request. The value is + null for DELETE requests.\n- 'oldObject' + - The existing object. The value is null + for CREATE requests.\n- 'request' - Attributes + of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- + 'params' - Parameter resource referred to + by the policy binding being evaluated. Only + populated if the policy has a ParamKind.\n- + 'namespaceObject' - The namespace object that the incoming object belongs to. The - value is null for cluster-scoped resources. - - 'variables' - Map of composited variables, - from its name to its lazily evaluated value. - For example, a variable named 'foo' can - be accessed as 'variables.foo'. - 'authorizer' + value is null for cluster-scoped resources.\n- + 'variables' - Map of composited variables, + from its name to its lazily evaluated value.\n + \ For example, a variable named 'foo' can + be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user - or service account) of the request. See - https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - - 'authorizer.requestResource' - A CEL ResourceCheck + or service account) of the request.\n See + https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured - with the request resource. \n The `apiVersion`, + with the\n request resource.\n\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` - are always accessible from the root of the - object. No other metadata properties are - accessible. \n Only property names of the - form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are - accessible. Accessible property names are - escaped according to the following rules - when accessed in the expression: - '__' - escapes to '__underscores__' - '.' escapes - to '__dot__' - '-' escapes to '__dash__' - - '/' escapes to '__slash__' - Property - names that exactly match a CEL RESERVED - keyword escape to '__{keyword}__'. The keywords - are: \"true\", \"false\", \"null\", \"in\", - \"as\", \"break\", \"const\", \"continue\", - \"else\", \"for\", \"function\", \"if\", - \"import\", \"let\", \"loop\", \"package\", - \"namespace\", \"return\". Examples: - Expression - accessing a property named \"namespace\": - {\"Expression\": \"object.__namespace__ - > 0\"} - Expression accessing a property + are always accessible from the root of the\nobject. + No other metadata properties are accessible.\n\n\nOnly + property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` + are accessible.\nAccessible property names + are escaped according to the following rules + when accessed in the expression:\n- '__' + escapes to '__underscores__'\n- '.' escapes + to '__dot__'\n- '-' escapes to '__dash__'\n- + '/' escapes to '__slash__'\n- Property names + that exactly match a CEL RESERVED keyword + escape to '__{keyword}__'. The keywords + are:\n\t \"true\", \"false\", \"null\", + \"in\", \"as\", \"break\", \"const\", \"continue\", + \"else\", \"for\", \"function\", \"if\",\n\t + \ \"import\", \"let\", \"loop\", \"package\", + \"namespace\", \"return\".\nExamples:\n + \ - Expression accessing a property named + \"namespace\": {\"Expression\": \"object.__namespace__ + > 0\"}\n - Expression accessing a property named \"x-prop\": {\"Expression\": \"object.x__dash__prop - > 0\"} - Expression accessing a property + > 0\"}\n - Expression accessing a property named \"redact__d\": {\"Expression\": \"object.redact__underscores__d - > 0\"} \n Equality on arrays with list type - of 'set' or 'map' ignores element order, - i.e. [1, 2] == [2, 1]. Concatenation on + > 0\"}\n\n\nEquality on arrays with list + type of 'set' or 'map' ignores element order, + i.e. [1, 2] == [2, 1].\nConcatenation on arrays with x-kubernetes-list-type use the - semantics of the list type: - 'set': `X - + Y` performs a union where the array positions - of all elements in `X` are preserved and - non-intersecting elements in `Y` are appended, - retaining their partial order. - 'map': - `X + Y` performs a merge where the array - positions of all keys in `X` are preserved - but the values are overwritten by values - in `Y` when the key sets of `X` and `Y` - intersect. Elements in `Y` with non-intersecting - keys are appended, retaining their partial - order. Required." + semantics of the list type:\n - 'set': + `X + Y` performs a union where the array + positions of all elements in `X` are preserved + and\n non-intersecting elements in `Y` + are appended, retaining their partial order.\n + \ - 'map': `X + Y` performs a merge where + the array positions of all keys in `X` are + preserved but the values\n are overwritten + by values in `Y` when the key sets of `X` + and `Y` intersect. Elements in `Y` with\n + \ non-intersecting keys are appended, + retaining their partial order.\nRequired." type: string message: - description: 'Message represents the message - displayed when validation fails. The message - is required if the Expression contains line - breaks. The message must not contain line - breaks. If unset, the message is "failed - rule: {Rule}". e.g. "must be a URL with - the host matching spec.host" If the Expression - contains line breaks. Message is required. + description: |- + Message represents the message displayed when validation fails. The message is required if the Expression contains + line breaks. The message must not contain line breaks. + If unset, the message is "failed rule: {Rule}". + e.g. "must be a URL with the host matching spec.host" + If the Expression contains line breaks. Message is required. The message must not contain line breaks. - If unset, the message is "failed Expression: - {Expression}".' + If unset, the message is "failed Expression: {Expression}". type: string messageExpression: - description: 'messageExpression declares a - CEL expression that evaluates to the validation - failure message that is returned when this - rule fails. Since messageExpression is used - as a failure message, it must evaluate to - a string. If both message and messageExpression - are present on a validation, then messageExpression - will be used if validation fails. If messageExpression - results in a runtime error, the runtime - error is logged, and the validation failure - message is produced as if the messageExpression - field were unset. If messageExpression evaluates - to an empty string, a string with only spaces, - or a string that contains line breaks, then - the validation failure message will also - be produced as if the messageExpression - field were unset, and the fact that messageExpression - produced an empty string/string with only - spaces/string with line breaks will be logged. - messageExpression has access to all the - same variables as the `expression` except - for ''authorizer'' and ''authorizer.requestResource''. - Example: "object.x must be less than max - ("+string(params.max)+")"' + description: |- + messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. + Since messageExpression is used as a failure message, it must evaluate to a string. + If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. + If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced + as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string + that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and + the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. + messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'. + Example: + "object.x must be less than max ("+string(params.max)+")" type: string reason: - description: 'Reason represents a machine-readable - description of why this validation failed. - If this is the first validation in the list - to fail, this reason, as well as the corresponding - HTTP response code, are used in the HTTP - response to the client. The currently supported - reasons are: "Unauthorized", "Forbidden", - "Invalid", "RequestEntityTooLarge". If not - set, StatusReasonInvalid is used in the - response to the client.' + description: |- + Reason represents a machine-readable description of why this validation failed. + If this is the first validation in the list to fail, this reason, as well as the + corresponding HTTP response code, are used in the + HTTP response to the client. + The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge". + If not set, StatusReasonInvalid is used in the response to the client. type: string required: - expression @@ -16030,13 +14485,15 @@ spec: and Version. properties: apiVersion: - description: APIVersion is the API group version - the resources belong to. In format of "group/version". + description: |- + APIVersion is the API group version the resources belong to. + In format of "group/version". Required. type: string kind: - description: Kind is the API kind the resources - belong to. Required. + description: |- + Kind is the API kind the resources belong to. + Required. type: string type: object x-kubernetes-map-type: atomic @@ -16044,82 +14501,83 @@ spec: description: ParamRef references a parameter resource. properties: name: - description: "`name` is the name of the resource - being referenced. \n `name` and `selector` - are mutually exclusive properties. If one - is set, the other must be unset." + description: |- + `name` is the name of the resource being referenced. + + + `name` and `selector` are mutually exclusive properties. If one is set, + the other must be unset. type: string namespace: - description: "namespace is the namespace of - the referenced resource. Allows limiting the - search for params to a specific namespace. - Applies to both `name` and `selector` fields. - \n A per-namespace parameter may be used by - specifying a namespace-scoped `paramKind` - in the policy and leaving this field empty. - \n - If `paramKind` is cluster-scoped, this - field MUST be unset. Setting this field results - in a configuration error. \n - If `paramKind` - is namespace-scoped, the namespace of the - object being evaluated for admission will - be used when this field is left unset. Take - care that if this is left empty the binding - must not match any cluster-scoped resources, - which will result in an error." + description: |- + namespace is the namespace of the referenced resource. Allows limiting + the search for params to a specific namespace. Applies to both `name` and + `selector` fields. + + + A per-namespace parameter may be used by specifying a namespace-scoped + `paramKind` in the policy and leaving this field empty. + + + - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this + field results in a configuration error. + + + - If `paramKind` is namespace-scoped, the namespace of the object being + evaluated for admission will be used when this field is left unset. Take + care that if this is left empty the binding must not match any cluster-scoped + resources, which will result in an error. type: string parameterNotFoundAction: - description: "`parameterNotFoundAction` controls - the behavior of the binding when the resource - exists, and name or selector is valid, but - there are no parameters matched by the binding. - If the value is set to `Allow`, then no matched - parameters will be treated as successful validation - by the binding. If set to `Deny`, then no - matched parameters will be subject to the - `failurePolicy` of the policy. \n Allowed - values are `Allow` or `Deny` Default to `Deny`" + description: |- + `parameterNotFoundAction` controls the behavior of the binding when the resource + exists, and name or selector is valid, but there are no parameters + matched by the binding. If the value is set to `Allow`, then no + matched parameters will be treated as successful validation by the binding. + If set to `Deny`, then no matched parameters will be subject to the + `failurePolicy` of the policy. + + + Allowed values are `Allow` or `Deny` + Default to `Deny` type: string selector: - description: "selector can be used to match - multiple param objects based on their labels. - Supply selector: {} to match all resources - of the ParamKind. \n If multiple params are - found, they are all evaluated with the policy - expressions and the results are ANDed together. - \n One of `name` or `selector` must be set, - but `name` and `selector` are mutually exclusive - properties. If one is set, the other must - be unset." + description: |- + selector can be used to match multiple param objects based on their labels. + Supply selector: {} to match all resources of the ParamKind. + + + If multiple params are found, they are all evaluated with the policy expressions + and the results are ANDed together. + + + One of `name` or `selector` must be set, but `name` and `selector` are + mutually exclusive properties. If one is set, the other must be unset. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -16131,41 +14589,34 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object x-kubernetes-map-type: atomic variables: - description: Variables contain definitions of variables - that can be used in composition of other expressions. + description: |- + Variables contain definitions of variables that can be used in composition of other expressions. Each variable is defined as a named CEL expression. - The variables defined here will be available under - `variables` in other expressions of the policy. + The variables defined here will be available under `variables` in other expressions of the policy. items: description: Variable is the definition of a variable that is used for composition. properties: expression: - description: Expression is the expression - that will be evaluated as the value of the - variable. The CEL expression has access - to the same identifiers as the CEL expressions - in Validation. + description: |- + Expression is the expression that will be evaluated as the value of the variable. + The CEL expression has access to the same identifiers as the CEL expressions in Validation. type: string name: - description: Name is the name of the variable. - The name must be a valid CEL identifier - and unique among all variables. The variable - can be accessed in other expressions through - `variables` For example, if name is "foo", - the variable will be available as `variables.foo` + description: |- + Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables. + The variable can be accessed in other expressions through `variables` + For example, if name is "foo", the variable will be available as `variables.foo` type: string required: - expression @@ -16178,12 +14629,11 @@ spec: fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct list - of conditions (without `any` or `all` statements) - is also supported for backwards compatibility + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object foreach: @@ -16198,24 +14648,22 @@ spec: apply the specified logic. properties: anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must - be satisfied for the validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true context: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST @@ -16238,15 +14686,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -16261,25 +14706,23 @@ spec: to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web - service URL. A typical form is + description: |- + URL is the JSON web service URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string @@ -16299,9 +14742,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials @@ -16313,11 +14756,9 @@ spec: allows insecure access to a registry. type: boolean providers: - description: 'Providers specifies - a list of OCI Registry names, - whose authentication providers - are provided. It can be of one - of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -16331,25 +14772,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a - list of secrets that are provided - for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -16363,15 +14802,14 @@ spec: defined inline. properties: default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary @@ -16386,48 +14824,44 @@ spec: or fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct - list of conditions (without `any` or `all` - statements) is also supported for backwards - compatibility but will be deprecated in - the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object elementScope: - description: ElementScope specifies whether to - use the current list element as the scope for - validation. Defaults to "true" if not specified. - When set to "false", "request.object" is used - as the validation scope within the foreach block - to allow referencing other elements in the subtree. + description: |- + ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified. + When set to "false", "request.object" is used as the validation scope within the foreach + block to allow referencing other elements in the subtree. type: boolean foreach: description: Foreach declares a nested foreach iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which - the validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string pattern: description: Pattern specifies an overlay-style pattern used to check resources. x-kubernetes-preserve-unknown-fields: true preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -16442,14 +14876,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -16469,20 +14900,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -16497,14 +14926,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -16524,10 +14950,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -16550,31 +14975,25 @@ spec: items: properties: count: - description: Count specifies the required - number of entries that must match. If the - count is null, all entries must match (a - logical AND). If the count is 1, at least - one entry must match (a logical OR). If - the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or - a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set @@ -16595,21 +15014,14 @@ spec: used to verify. type: string ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -16617,36 +15029,25 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -16657,9 +15058,9 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless - attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: additionalProperties: @@ -16669,21 +15070,14 @@ spec: for keyless signing. type: object ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -16691,15 +15085,10 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -16707,24 +15096,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -16734,10 +15117,9 @@ spec: type: string type: object roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, - the system roots are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -16750,21 +15132,14 @@ spec: public keys. properties: ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -16772,63 +15147,41 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI - to the public key stored in a - Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable - reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -16864,12 +15217,9 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository - will override other OCI image repository - locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -16910,10 +15260,9 @@ spec: type: object type: array repository: - description: Repository is an optional alternate - OCI repository to use for resource bundle reference. - The repository can be overridden per Attestor - or Attestation. + description: |- + Repository is an optional alternate OCI repository to use for resource bundle reference. + The repository can be overridden per Attestor or Attestation. type: string type: object message: @@ -16925,9 +15274,9 @@ spec: used to check resources. x-kubernetes-preserve-unknown-fields: true podSecurity: - description: PodSecurity applies exemptions for Kubernetes - Pod Security admission by specifying exclusions for - Pod Security Standards controls. + description: |- + PodSecurity applies exemptions for Kubernetes Pod Security admission + by specifying exclusions for Pod Security Standards controls. properties: exclude: description: Exclude specifies the Pod Security @@ -16937,9 +15286,9 @@ spec: Pod Security Standard controls to be excluded. properties: controlName: - description: 'ControlName specifies the name - of the Pod Security Standard control. See: - https://kubernetes.io/docs/concepts/security/pod-security-standards/' + description: |- + ControlName specifies the name of the Pod Security Standard control. + See: https://kubernetes.io/docs/concepts/security/pod-security-standards/ enum: - HostProcess - Host Namespaces @@ -16958,14 +15307,11 @@ spec: - Running as Non-root user type: string images: - description: 'Images selects matching containers - and applies the container level PSS. Each - image is the image name consisting of the - registry address, repository, image, and - tag. Empty list matches no containers, PSS - checks are applied at the pod level only. - Wildcards (''*'' and ''?'') are allowed. - See: https://kubernetes.io/docs/concepts/containers/images.' + description: |- + Images selects matching containers and applies the container level PSS. + Each image is the image name consisting of the registry address, repository, image, and tag. + Empty list matches no containers, PSS checks are applied at the pod level only. + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -16974,19 +15320,18 @@ spec: type: object type: array level: - description: Level defines the Pod Security Standard - level to be applied to workloads. Allowed values - are privileged, baseline, and restricted. + description: |- + Level defines the Pod Security Standard level to be applied to workloads. + Allowed values are privileged, baseline, and restricted. enum: - privileged - baseline - restricted type: string version: - description: Version defines the Pod Security Standard - versions that Kubernetes supports. Allowed values - are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, - v1.25, v1.26, latest. Defaults to latest. + description: |- + Version defines the Pod Security Standard versions that Kubernetes supports. + Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, latest. Defaults to latest. enum: - v1.19 - v1.20 @@ -17004,10 +15349,10 @@ spec: description: VerifyImages is used to verify image signatures and mutate them to add a digest items: - description: ImageVerification validates that images that - match the specified pattern are signed with the supplied - public key. Once the image is verified it is mutated - to include the SHA digest retrieved during the registration. + description: |- + ImageVerification validates that images that match the specified pattern + are signed with the supplied public key. Once the image is verified it is + mutated to include the SHA digest retrieved during the registration. properties: additionalExtensions: additionalProperties: @@ -17021,17 +15366,15 @@ spec: instead. type: object attestations: - description: Attestations are optional checks for - signed in-toto Statements used to verify the image. - See https://github.com/in-toto/attestation. Kyverno - fetches signed attestations from the OCI registry - and decodes them into a list of Statement declarations. + description: |- + Attestations are optional checks for signed in-toto Statements used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statement declarations. items: - description: Attestation are checks for signed in-toto - Statements that are used to verify the image. - See https://github.com/in-toto/attestation. Kyverno - fetches signed attestations from the OCI registry - and decodes them into a list of Statements. + description: |- + Attestation are checks for signed in-toto Statements that are used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statements. properties: attestors: description: Attestors specify the required @@ -17039,33 +15382,25 @@ spec: items: properties: count: - description: Count specifies the required - number of entries that must match. If - the count is null, all entries must - match (a logical AND). If the count - is 1, at least one entry must match - (a logical OR). If the count contains - a value N, then N must be less than - or equal to the size of entries, and - at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static - key, attributes for keyless verification, - or a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used - for image verification. Every - specified key-value pair must - exist and match in the verified - payload. The payload may contain - other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested @@ -17086,23 +15421,14 @@ spec: certificates used to verify. type: string ctlog: - description: CTLog (certificate - timestamp log) provides a - configuration for validation - of Signed Certificate Timestamps - (SCTs). If the value is unset, - the default behavior by Cosign - is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp - (SCT) log to check for - a certificate timestamp. - Default is false. Set - to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if @@ -17111,27 +15437,16 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, - if set, is the PEM-encoded - certificate chain file - for the RFC3161 timestamp - authority. Must contain - the root CA certificate. - Optionally may contain - intermediate CA certificates, - and may contain the leaf - TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If an empty object is provided - the public instance of Rekor - (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog @@ -17139,13 +15454,9 @@ spec: verification. type: boolean pubkey: - description: RekorPubKey - is an optional PEM-encoded - public key to use for - a custom Rekor. If set, - this will be used to validate - transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the @@ -17156,9 +15467,9 @@ spec: type: object type: object keyless: - description: Keyless is a set of - attribute used to verify a Sigstore - keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: additionalProperties: @@ -17168,23 +15479,14 @@ spec: used for keyless signing. type: object ctlog: - description: CTLog (certificate - timestamp log) provides a - configuration for validation - of Signed Certificate Timestamps - (SCTs). If the value is unset, - the default behavior by Cosign - is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp - (SCT) log to check for - a certificate timestamp. - Default is false. Set - to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if @@ -17193,17 +15495,10 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, - if set, is the PEM-encoded - certificate chain file - for the RFC3161 timestamp - authority. Must contain - the root CA certificate. - Optionally may contain - intermediate CA certificates, - and may contain the leaf - TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -17211,13 +15506,9 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If an empty object is provided - the public instance of Rekor - (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog @@ -17225,13 +15516,9 @@ spec: verification. type: boolean pubkey: - description: RekorPubKey - is an optional PEM-encoded - public key to use for - a custom Rekor. If set, - this will be used to validate - transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the @@ -17241,11 +15528,9 @@ spec: type: string type: object roots: - description: Roots is an optional - set of PEM encoded trusted - root certificates. If not - provided, the system roots - are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the @@ -17259,23 +15544,14 @@ spec: or more public keys. properties: ctlog: - description: CTLog (certificate - timestamp log) provides a - configuration for validation - of Signed Certificate Timestamps - (SCTs). If the value is unset, - the default behavior by Cosign - is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp - (SCT) log to check for - a certificate timestamp. - Default is false. Set - to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if @@ -17284,56 +15560,32 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, - if set, is the PEM-encoded - certificate chain file - for the RFC3161 timestamp - authority. Must contain - the root CA certificate. - Optionally may contain - intermediate CA certificates, - and may contain the leaf - TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the - URI to the public key stored - in a Key Management System. - See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of - X.509 public keys used to - verify image signatures. The - keys can be directly specified - or can be a variable reference - to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a - separate staticKey entry (.attestors[*].entries.keys) - within the set of attestors - and the count is applied across - the keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If an empty object is provided - the public instance of Rekor - (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog @@ -17341,13 +15593,9 @@ spec: verification. type: boolean pubkey: - description: RekorPubKey - is an optional PEM-encoded - public key to use for - a custom Rekor. If set, - this will be used to validate - transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the @@ -17384,40 +15632,30 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use - for signatures and attestations - that match this rule. If specified - Repository will override other - OCI image repository locations - for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array type: object type: array conditions: - description: Conditions are used to verify attributes - within a Predicate. If no Conditions are specified - the attestation check is satisfied as long - there are predicates that match the predicate - type. + description: |- + Conditions are used to verify attributes within a Predicate. If no Conditions are specified + the attestation check is satisfied as long there are predicates that match the predicate type. items: - description: AnyAllConditions consists of - conditions wrapped denoting a logical criteria - to be fulfilled. AnyConditions get fulfilled - when at least one of its sub-conditions - passes. AllConditions get fulfilled only - when all of its sub-conditions pass. + description: |- + AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled. + AnyConditions get fulfilled when at least one of its sub-conditions passes. + AllConditions get fulfilled only when all of its sub-conditions pass. properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is - useful for finer control of when an - rule is applied. A condition can reference - object data using JMESPath notation. - Here, all of the conditions need to - pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -17432,14 +15670,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -17459,21 +15694,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is - useful for finer control of when an - rule is applied. A condition can reference - object data using JMESPath notation. - Here, at least one of the conditions - need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -17488,14 +15720,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -17515,10 +15744,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -17540,31 +15768,25 @@ spec: items: properties: count: - description: Count specifies the required number - of entries that must match. If the count is - null, all entries must match (a logical AND). - If the count is 1, at least one entry must - match (a logical OR). If the count contains - a value N, then N must be less than or equal - to the size of entries, and at least N entries - must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or a - nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set @@ -17585,21 +15807,14 @@ spec: used to verify. type: string ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior by - Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed Certificate - Timestamp (SCT) log to check - for a certificate timestamp. - Default is false. Set to true - if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -17607,35 +15822,25 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the - root CA certificate. Optionally - may contain intermediate CA - certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an - optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used to - validate transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -17646,8 +15851,8 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: @@ -17658,21 +15863,14 @@ spec: for keyless signing. type: object ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior by - Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed Certificate - Timestamp (SCT) log to check - for a certificate timestamp. - Default is false. Set to true - if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -17680,15 +15878,10 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the - root CA certificate. Optionally - may contain intermediate CA - certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -17696,23 +15889,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an - optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used to - validate transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -17722,10 +15910,9 @@ spec: type: string type: object roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, the - system roots are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -17738,21 +15925,14 @@ spec: public keys. properties: ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior by - Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed Certificate - Timestamp (SCT) log to check - for a certificate timestamp. - Default is false. Set to true - if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -17760,61 +15940,41 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the - root CA certificate. Optionally - may contain intermediate CA - certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI - to the public key stored in a Key - Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable reference - to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format "k8s:///". - The named Secret must specify a - key `cosign.pub` containing the - public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an - optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used to - validate transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -17849,12 +16009,9 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository will - override other OCI image repository - locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -17864,13 +16021,11 @@ spec: description: Deprecated. Use ImageReferences instead. type: string imageReferences: - description: 'ImageReferences is a list of matching - image reference patterns. At least one pattern in - the list must match the image for the rule to apply. - Each image reference consists of a registry address - (defaults to docker.io), repository, image, and - tag (defaults to latest). Wildcards (''*'' and ''?'') - are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' + description: |- + ImageReferences is a list of matching image reference patterns. At least one pattern in the + list must match the image for the rule to apply. Each image reference consists of a registry + address (defaults to docker.io), repository, image, and tag (defaults to latest). + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -17883,10 +16038,9 @@ spec: access to a registry. type: boolean providers: - description: 'Providers specifies a list of OCI - Registry names, whose authentication providers - are provided. It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers @@ -17900,9 +16054,9 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets - that are provided for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array @@ -17915,16 +16069,15 @@ spec: type: string mutateDigest: default: true - description: MutateDigest enables replacement of image - tags with digests. Defaults to true. + description: |- + MutateDigest enables replacement of image tags with digests. + Defaults to true. type: boolean repository: - description: Repository is an optional alternate OCI - repository to use for image signatures and attestations - that match this rule. If specified Repository will - override the default OCI image repository configured - for the installation. The repository can also be - overridden per Attestor or Attestation. + description: |- + Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule. + If specified Repository will override the default OCI image repository configured for the installation. + The repository can also be overridden per Attestor or Attestation. type: string required: default: true @@ -17939,9 +16092,9 @@ spec: description: Deprecated. Use KeylessAttestor instead. type: string type: - description: Type specifies the method of signature - validation. The allowed options are Cosign and Notary. - By default Cosign is used if a type is not specified. + description: |- + Type specifies the method of signature validation. The allowed options + are Cosign and Notary. By default Cosign is used if a type is not specified. enum: - Cosign - Notary @@ -17966,42 +16119,42 @@ spec: conditions: items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -18015,11 +16168,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -18035,8 +16189,9 @@ spec: description: Deprecated in favor of Conditions type: boolean rulecount: - description: RuleCountStatus contains four variables which describes - counts for validate, generate, mutate and verify images rules + description: |- + RuleCountStatus contains four variables which describes counts for + validate, generate, mutate and verify images rules properties: generate: description: Count for generate rules in policy @@ -18064,10 +16219,9 @@ spec: policy is generated from the policy or not type: boolean message: - description: Message is a human readable message indicating details - about the generation of validating admission policy It is an - empty string when validating admission policy is successfully - generated. + description: |- + Message is a human readable message indicating details about the generation of validating admission policy + It is an empty string when validating admission policy is successfully generated. type: string required: - generated diff --git a/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_policyexceptions.yaml b/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_policyexceptions.yaml index a27e39eabd4a..d86b22970492 100644 --- a/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_policyexceptions.yaml +++ b/cmd/cli/kubectl-kyverno/data/crds/kyverno.io_policyexceptions.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: policyexceptions.kyverno.io spec: group: kyverno.io @@ -26,14 +26,19 @@ spec: policies. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -41,11 +46,10 @@ spec: description: Spec declares policy exception behaviors. properties: background: - description: Background controls if exceptions are applied to existing - policies during a background scan. Optional. Default value is "true". - The value must be set to "false" if the policy rule uses variables - that are only available in the admission review request (e.g. user - name). + description: |- + Background controls if exceptions are applied to existing policies during a background scan. + Optional. Default value is "true". The value must be set to "false" if the policy rule + uses variables that are only available in the admission review request (e.g. user name). type: boolean exceptions: description: Exceptions is a list policy/rules to be excluded @@ -53,9 +57,10 @@ spec: description: Exception stores infos about a policy and rules properties: policyName: - description: PolicyName identifies the policy to which the exception - is applied. The policy name uses the format / - unless it references a ClusterPolicy. + description: |- + PolicyName identifies the policy to which the exception is applied. + The policy name uses the format / unless it + references a ClusterPolicy. type: string ruleNames: description: RuleNames identifies the rules to which the exception @@ -91,11 +96,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -103,52 +107,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -160,19 +161,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -192,38 +191,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -235,12 +231,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -255,32 +249,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -309,11 +299,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -321,52 +310,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -378,19 +364,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -410,38 +394,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -453,12 +434,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -473,32 +452,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -525,14 +500,19 @@ spec: policies. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -540,11 +520,10 @@ spec: description: Spec declares policy exception behaviors. properties: background: - description: Background controls if exceptions are applied to existing - policies during a background scan. Optional. Default value is "true". - The value must be set to "false" if the policy rule uses variables - that are only available in the admission review request (e.g. user - name). + description: |- + Background controls if exceptions are applied to existing policies during a background scan. + Optional. Default value is "true". The value must be set to "false" if the policy rule + uses variables that are only available in the admission review request (e.g. user name). type: boolean exceptions: description: Exceptions is a list policy/rules to be excluded @@ -552,9 +531,10 @@ spec: description: Exception stores infos about a policy and rules properties: policyName: - description: PolicyName identifies the policy to which the exception - is applied. The policy name uses the format / - unless it references a ClusterPolicy. + description: |- + PolicyName identifies the policy to which the exception is applied. + The policy name uses the format / unless it + references a ClusterPolicy. type: string ruleNames: description: RuleNames identifies the rules to which the exception @@ -590,11 +570,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -602,52 +581,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -659,19 +635,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -691,38 +665,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -734,12 +705,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -754,32 +723,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -808,11 +773,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -820,52 +784,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -877,19 +838,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -909,38 +868,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -952,12 +908,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -972,32 +926,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind diff --git a/config/crds/kyverno.io_admissionreports.yaml b/config/crds/kyverno.io_admissionreports.yaml index 214e1bf7396d..a9f888c527a2 100644 --- a/config/crds/kyverno.io_admissionreports.yaml +++ b/config/crds/kyverno.io_admissionreports.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: admissionreports.kyverno.io spec: group: kyverno.io @@ -53,14 +53,19 @@ spec: description: AdmissionReport is the Schema for the AdmissionReports API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -74,25 +79,33 @@ spec: description: API version of the referent. type: string blockOwnerDeletion: - description: If true, AND if the owner has the "foregroundDeletion" - finalizer, then the owner cannot be deleted from the key-value - store until this reference is removed. See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion - for how the garbage collector interacts with this field and - enforces the foreground deletion. Defaults to false. To set - this field, a user needs "delete" permission of the owner, otherwise - 422 (Unprocessable Entity) will be returned. + description: |- + If true, AND if the owner has the "foregroundDeletion" finalizer, then + the owner cannot be deleted from the key-value store until this + reference is removed. + See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion + for how the garbage collector interacts with this field and enforces the foreground deletion. + Defaults to false. + To set this field, a user needs "delete" permission of the owner, + otherwise 422 (Unprocessable Entity) will be returned. type: boolean controller: description: If true, this reference points to the managing controller. type: boolean kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names type: string uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids' + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids type: string required: - apiVersion @@ -124,35 +137,35 @@ spec: the policy rule type: object resourceSelector: - description: SubjectSelector is an optional label selector for - checked Kubernetes resources. For example, a policy result - may apply to all pods that match a label. Either a Subject - or a SubjectSelector can be specified. If neither are provided, - the result is assumed to be for the policy report scope. + description: |- + SubjectSelector is an optional label selector for checked Kubernetes resources. + For example, a policy result may apply to all pods that match a label. + Either a Subject or a SubjectSelector can be specified. + If neither are provided, the result is assumed to be for the policy report scope. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. - If the operator is In or NotIn, the values array - must be non-empty. If the operator is Exists or - DoesNotExist, the values array must be empty. This - array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -164,11 +177,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -176,66 +188,63 @@ spec: description: Subjects is an optional reference to the checked Kubernetes resources items: - description: "ObjectReference contains enough information - to let you inspect or modify the referred object. --- New - uses of this type are discouraged because of difficulty - describing its usage when embedded in APIs. 1. Ignored fields. - \ It includes many fields which are not generally honored. - \ For instance, ResourceVersion and FieldPath are both very - rarely valid in actual usage. 2. Invalid usage help. It - is impossible to add specific help for individual usage. - \ In most embedded usages, there are particular restrictions - like, \"must refer only to types A and B\" or \"UID not - honored\" or \"name must be restricted\". Those cannot be - well described when embedded. 3. Inconsistent validation. - \ Because the usages are different, the validation rules - are different by usage, which makes it hard for users to - predict what will happen. 4. The fields are both imprecise - and overly precise. Kind is not a precise mapping to a - URL. This can produce ambiguity during interpretation and - require a REST mapping. In most cases, the dependency is - on the group,resource tuple and the version of the actual - struct is irrelevant. 5. We cannot easily change it. Because - this type is embedded in many locations, updates to this - type will affect numerous schemas. Don't make new APIs - embed an underspecified API type they do not control. \n - Instead of using this type, create a locally provided and - used type that is well-focused on your reference. For example, - ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 - ." + description: |- + ObjectReference contains enough information to let you inspect or modify the referred object. + --- + New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. + 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. + 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular + restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". + Those cannot be well described when embedded. + 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. + 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity + during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple + and the version of the actual struct is irrelevant. + 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type + will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control. + + + Instead of using this type, create a locally provided and used type that is well-focused on your reference. + For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 . properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead - of an entire object, this string should contain a valid - JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container - within a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that - triggered the event) or if no container name is specified - "spec.containers[2]" (container with index 2 in this - pod). This syntax is chosen only to have some well-defined - way of referencing a part of an object. TODO: this design - is not final and this field is subject to change in - the future.' + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + TODO: this design is not final and this field is subject to change in the future. type: string kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ type: string resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency type: string uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids type: string type: object x-kubernetes-map-type: atomic @@ -274,17 +283,18 @@ spec: description: Timestamp indicates the time the result was found properties: nanos: - description: Non-negative fractions of a second at nanosecond - resolution. Negative second values with fractions must - still have non-negative nanos values that count forward - in time. Must be from 0 to 999,999,999 inclusive. This - field may be limited in precision depending on context. + description: |- + Non-negative fractions of a second at nanosecond resolution. Negative + second values with fractions must still have non-negative nanos values + that count forward in time. Must be from 0 to 999,999,999 + inclusive. This field may be limited in precision depending on context. format: int32 type: integer seconds: - description: Represents seconds of UTC time since Unix epoch - 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z - to 9999-12-31T23:59:59Z inclusive. + description: |- + Represents seconds of UTC time since Unix epoch + 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to + 9999-12-31T23:59:59Z inclusive. format: int64 type: integer required: diff --git a/config/crds/kyverno.io_backgroundscanreports.yaml b/config/crds/kyverno.io_backgroundscanreports.yaml index 56a609a27f55..c00610ee0338 100644 --- a/config/crds/kyverno.io_backgroundscanreports.yaml +++ b/config/crds/kyverno.io_backgroundscanreports.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: backgroundscanreports.kyverno.io spec: group: kyverno.io @@ -57,14 +57,19 @@ spec: API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -93,35 +98,35 @@ spec: the policy rule type: object resourceSelector: - description: SubjectSelector is an optional label selector for - checked Kubernetes resources. For example, a policy result - may apply to all pods that match a label. Either a Subject - or a SubjectSelector can be specified. If neither are provided, - the result is assumed to be for the policy report scope. + description: |- + SubjectSelector is an optional label selector for checked Kubernetes resources. + For example, a policy result may apply to all pods that match a label. + Either a Subject or a SubjectSelector can be specified. + If neither are provided, the result is assumed to be for the policy report scope. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. - If the operator is In or NotIn, the values array - must be non-empty. If the operator is Exists or - DoesNotExist, the values array must be empty. This - array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -133,11 +138,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -145,66 +149,63 @@ spec: description: Subjects is an optional reference to the checked Kubernetes resources items: - description: "ObjectReference contains enough information - to let you inspect or modify the referred object. --- New - uses of this type are discouraged because of difficulty - describing its usage when embedded in APIs. 1. Ignored fields. - \ It includes many fields which are not generally honored. - \ For instance, ResourceVersion and FieldPath are both very - rarely valid in actual usage. 2. Invalid usage help. It - is impossible to add specific help for individual usage. - \ In most embedded usages, there are particular restrictions - like, \"must refer only to types A and B\" or \"UID not - honored\" or \"name must be restricted\". Those cannot be - well described when embedded. 3. Inconsistent validation. - \ Because the usages are different, the validation rules - are different by usage, which makes it hard for users to - predict what will happen. 4. The fields are both imprecise - and overly precise. Kind is not a precise mapping to a - URL. This can produce ambiguity during interpretation and - require a REST mapping. In most cases, the dependency is - on the group,resource tuple and the version of the actual - struct is irrelevant. 5. We cannot easily change it. Because - this type is embedded in many locations, updates to this - type will affect numerous schemas. Don't make new APIs - embed an underspecified API type they do not control. \n - Instead of using this type, create a locally provided and - used type that is well-focused on your reference. For example, - ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 - ." + description: |- + ObjectReference contains enough information to let you inspect or modify the referred object. + --- + New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. + 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. + 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular + restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". + Those cannot be well described when embedded. + 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. + 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity + during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple + and the version of the actual struct is irrelevant. + 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type + will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control. + + + Instead of using this type, create a locally provided and used type that is well-focused on your reference. + For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 . properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead - of an entire object, this string should contain a valid - JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container - within a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that - triggered the event) or if no container name is specified - "spec.containers[2]" (container with index 2 in this - pod). This syntax is chosen only to have some well-defined - way of referencing a part of an object. TODO: this design - is not final and this field is subject to change in - the future.' + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + TODO: this design is not final and this field is subject to change in the future. type: string kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ type: string resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency type: string uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids type: string type: object x-kubernetes-map-type: atomic @@ -243,17 +244,18 @@ spec: description: Timestamp indicates the time the result was found properties: nanos: - description: Non-negative fractions of a second at nanosecond - resolution. Negative second values with fractions must - still have non-negative nanos values that count forward - in time. Must be from 0 to 999,999,999 inclusive. This - field may be limited in precision depending on context. + description: |- + Non-negative fractions of a second at nanosecond resolution. Negative + second values with fractions must still have non-negative nanos values + that count forward in time. Must be from 0 to 999,999,999 + inclusive. This field may be limited in precision depending on context. format: int32 type: integer seconds: - description: Represents seconds of UTC time since Unix epoch - 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z - to 9999-12-31T23:59:59Z inclusive. + description: |- + Represents seconds of UTC time since Unix epoch + 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to + 9999-12-31T23:59:59Z inclusive. format: int64 type: integer required: diff --git a/config/crds/kyverno.io_cleanuppolicies.yaml b/config/crds/kyverno.io_cleanuppolicies.yaml index dcba01e64050..36c7ff299a08 100644 --- a/config/crds/kyverno.io_cleanuppolicies.yaml +++ b/config/crds/kyverno.io_cleanuppolicies.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: cleanuppolicies.kyverno.io spec: group: kyverno.io @@ -32,14 +32,19 @@ spec: description: CleanupPolicy defines a rule for resource cleanup. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -51,10 +56,11 @@ spec: resources which will be cleaned up. properties: all: - description: AllConditions enable variable-based conditional rule - execution. This is useful for finer control of when an rule - is applied. A condition can reference object data using JMESPath - notation. Here, all of the conditions need to pass. + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass. items: properties: key: @@ -65,11 +71,11 @@ spec: description: Message is an optional display message type: string operator: - description: 'Operator is the conditional operation to perform. - Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -87,17 +93,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, or set of values. - The values can be fixed set or can be variables declared - using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based conditional rule - execution. This is useful for finer control of when an rule - is applied. A condition can reference object data using JMESPath - notation. Here, at least one of the conditions need to pass. + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass. items: properties: key: @@ -108,11 +115,11 @@ spec: description: Message is an optional display message type: string operator: - description: 'Operator is the conditional operation to perform. - Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -130,9 +137,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, or set of values. - The values can be fixed set or can be variables declared - using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -141,13 +148,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data sources to a rule - Context. Either a ConfigMap reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the Kubernetes API - server, or other JSON web service. The data returned is stored - in the context with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data sent to the server. @@ -167,12 +175,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the JSON response returned - from the server. For example a JMESPath of "items | length(@)" - applied to the API server response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across all - namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -185,22 +193,24 @@ spec: description: Service is an API call to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded CA bundle which - will be used to validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web service URL. A typical - form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to be used in the HTTP - GET or POST request to the Kubernetes API server (e.g. - "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used by the `kubectl - get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -217,8 +227,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests to an OCI/Docker - V2 registry to fetch image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials provides credentials @@ -229,9 +240,9 @@ spec: to a registry. type: boolean providers: - description: 'Providers specifies a list of OCI Registry - names, whose authentication providers are provided. - It can be of one of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers required. @@ -244,21 +255,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets that - are provided for credentials. Secrets must live in - the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the ImageData struct returned - as a result of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference to a container - image in the registry. Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -271,13 +284,14 @@ spec: variable that can be defined inline. properties: default: - description: Default is an optional arbitrary JSON object - that the variable may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath Expression - that can be used to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON object representable @@ -287,10 +301,10 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when cleanuppolicy should not - be applied. The exclude criteria can include resource information - (e.g. kind, name, namespace, labels) and admission review request - information like the name or role. + description: |- + ExcludeResources defines when cleanuppolicy should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. properties: all: description: All allows specifying resources which will be ANDed @@ -311,11 +325,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -323,52 +336,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -380,19 +390,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -412,38 +420,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -455,12 +460,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -475,32 +478,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -529,11 +528,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -541,52 +539,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -598,19 +593,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -630,38 +623,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -673,12 +663,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -693,32 +681,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -730,10 +714,11 @@ spec: type: array type: object match: - description: MatchResources defines when cleanuppolicy should be applied. - The match criteria can include resource information (e.g. kind, - name, namespace, labels) and admission review request information - like the user name or role. At least one kind is required. + description: |- + MatchResources defines when cleanuppolicy should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. + At least one kind is required. properties: all: description: All allows specifying resources which will be ANDed @@ -754,11 +739,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -766,52 +750,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -823,19 +804,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -855,38 +834,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -898,12 +874,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -918,32 +892,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -972,11 +942,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -984,52 +953,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1041,19 +1007,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -1073,38 +1037,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1116,12 +1077,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -1136,32 +1095,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -1184,42 +1139,42 @@ spec: conditions: items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -1233,11 +1188,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -1273,14 +1229,19 @@ spec: description: CleanupPolicy defines a rule for resource cleanup. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -1292,10 +1253,11 @@ spec: resources which will be cleaned up. properties: all: - description: AllConditions enable variable-based conditional rule - execution. This is useful for finer control of when an rule - is applied. A condition can reference object data using JMESPath - notation. Here, all of the conditions need to pass. + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass. items: properties: key: @@ -1306,11 +1268,11 @@ spec: description: Message is an optional display message type: string operator: - description: 'Operator is the conditional operation to perform. - Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -1328,17 +1290,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, or set of values. - The values can be fixed set or can be variables declared - using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based conditional rule - execution. This is useful for finer control of when an rule - is applied. A condition can reference object data using JMESPath - notation. Here, at least one of the conditions need to pass. + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass. items: properties: key: @@ -1349,11 +1312,11 @@ spec: description: Message is an optional display message type: string operator: - description: 'Operator is the conditional operation to perform. - Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -1371,9 +1334,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, or set of values. - The values can be fixed set or can be variables declared - using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -1382,13 +1345,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data sources to a rule - Context. Either a ConfigMap reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the Kubernetes API - server, or other JSON web service. The data returned is stored - in the context with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data sent to the server. @@ -1408,12 +1372,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the JSON response returned - from the server. For example a JMESPath of "items | length(@)" - applied to the API server response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across all - namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -1426,22 +1390,24 @@ spec: description: Service is an API call to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded CA bundle which - will be used to validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web service URL. A typical - form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to be used in the HTTP - GET or POST request to the Kubernetes API server (e.g. - "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used by the `kubectl - get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -1458,8 +1424,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests to an OCI/Docker - V2 registry to fetch image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials provides credentials @@ -1470,9 +1437,9 @@ spec: to a registry. type: boolean providers: - description: 'Providers specifies a list of OCI Registry - names, whose authentication providers are provided. - It can be of one of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers required. @@ -1485,21 +1452,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets that - are provided for credentials. Secrets must live in - the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the ImageData struct returned - as a result of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference to a container - image in the registry. Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -1512,13 +1481,14 @@ spec: variable that can be defined inline. properties: default: - description: Default is an optional arbitrary JSON object - that the variable may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath Expression - that can be used to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON object representable @@ -1528,10 +1498,10 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when cleanuppolicy should not - be applied. The exclude criteria can include resource information - (e.g. kind, name, namespace, labels) and admission review request - information like the name or role. + description: |- + ExcludeResources defines when cleanuppolicy should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. properties: all: description: All allows specifying resources which will be ANDed @@ -1552,11 +1522,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -1564,52 +1533,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1621,19 +1587,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -1653,38 +1617,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1696,12 +1657,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -1716,32 +1675,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -1770,11 +1725,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -1782,52 +1736,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1839,19 +1790,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -1871,38 +1820,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1914,12 +1860,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -1934,32 +1878,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -1971,10 +1911,11 @@ spec: type: array type: object match: - description: MatchResources defines when cleanuppolicy should be applied. - The match criteria can include resource information (e.g. kind, - name, namespace, labels) and admission review request information - like the user name or role. At least one kind is required. + description: |- + MatchResources defines when cleanuppolicy should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. + At least one kind is required. properties: all: description: All allows specifying resources which will be ANDed @@ -1995,11 +1936,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -2007,52 +1947,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -2064,19 +2001,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -2096,38 +2031,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -2139,12 +2071,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -2159,32 +2089,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -2213,11 +2139,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -2225,52 +2150,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -2282,19 +2204,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -2314,38 +2234,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -2357,12 +2274,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -2377,32 +2292,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -2425,42 +2336,42 @@ spec: conditions: items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -2474,11 +2385,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/config/crds/kyverno.io_clusteradmissionreports.yaml b/config/crds/kyverno.io_clusteradmissionreports.yaml index 8decc5c86506..d6c3e2e452aa 100644 --- a/config/crds/kyverno.io_clusteradmissionreports.yaml +++ b/config/crds/kyverno.io_clusteradmissionreports.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: clusteradmissionreports.kyverno.io spec: group: kyverno.io @@ -54,14 +54,19 @@ spec: API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -75,25 +80,33 @@ spec: description: API version of the referent. type: string blockOwnerDeletion: - description: If true, AND if the owner has the "foregroundDeletion" - finalizer, then the owner cannot be deleted from the key-value - store until this reference is removed. See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion - for how the garbage collector interacts with this field and - enforces the foreground deletion. Defaults to false. To set - this field, a user needs "delete" permission of the owner, otherwise - 422 (Unprocessable Entity) will be returned. + description: |- + If true, AND if the owner has the "foregroundDeletion" finalizer, then + the owner cannot be deleted from the key-value store until this + reference is removed. + See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion + for how the garbage collector interacts with this field and enforces the foreground deletion. + Defaults to false. + To set this field, a user needs "delete" permission of the owner, + otherwise 422 (Unprocessable Entity) will be returned. type: boolean controller: description: If true, this reference points to the managing controller. type: boolean kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names type: string uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids' + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids type: string required: - apiVersion @@ -125,35 +138,35 @@ spec: the policy rule type: object resourceSelector: - description: SubjectSelector is an optional label selector for - checked Kubernetes resources. For example, a policy result - may apply to all pods that match a label. Either a Subject - or a SubjectSelector can be specified. If neither are provided, - the result is assumed to be for the policy report scope. + description: |- + SubjectSelector is an optional label selector for checked Kubernetes resources. + For example, a policy result may apply to all pods that match a label. + Either a Subject or a SubjectSelector can be specified. + If neither are provided, the result is assumed to be for the policy report scope. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. - If the operator is In or NotIn, the values array - must be non-empty. If the operator is Exists or - DoesNotExist, the values array must be empty. This - array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -165,11 +178,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -177,66 +189,63 @@ spec: description: Subjects is an optional reference to the checked Kubernetes resources items: - description: "ObjectReference contains enough information - to let you inspect or modify the referred object. --- New - uses of this type are discouraged because of difficulty - describing its usage when embedded in APIs. 1. Ignored fields. - \ It includes many fields which are not generally honored. - \ For instance, ResourceVersion and FieldPath are both very - rarely valid in actual usage. 2. Invalid usage help. It - is impossible to add specific help for individual usage. - \ In most embedded usages, there are particular restrictions - like, \"must refer only to types A and B\" or \"UID not - honored\" or \"name must be restricted\". Those cannot be - well described when embedded. 3. Inconsistent validation. - \ Because the usages are different, the validation rules - are different by usage, which makes it hard for users to - predict what will happen. 4. The fields are both imprecise - and overly precise. Kind is not a precise mapping to a - URL. This can produce ambiguity during interpretation and - require a REST mapping. In most cases, the dependency is - on the group,resource tuple and the version of the actual - struct is irrelevant. 5. We cannot easily change it. Because - this type is embedded in many locations, updates to this - type will affect numerous schemas. Don't make new APIs - embed an underspecified API type they do not control. \n - Instead of using this type, create a locally provided and - used type that is well-focused on your reference. For example, - ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 - ." + description: |- + ObjectReference contains enough information to let you inspect or modify the referred object. + --- + New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. + 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. + 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular + restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". + Those cannot be well described when embedded. + 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. + 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity + during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple + and the version of the actual struct is irrelevant. + 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type + will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control. + + + Instead of using this type, create a locally provided and used type that is well-focused on your reference. + For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 . properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead - of an entire object, this string should contain a valid - JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container - within a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that - triggered the event) or if no container name is specified - "spec.containers[2]" (container with index 2 in this - pod). This syntax is chosen only to have some well-defined - way of referencing a part of an object. TODO: this design - is not final and this field is subject to change in - the future.' + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + TODO: this design is not final and this field is subject to change in the future. type: string kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ type: string resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency type: string uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids type: string type: object x-kubernetes-map-type: atomic @@ -275,17 +284,18 @@ spec: description: Timestamp indicates the time the result was found properties: nanos: - description: Non-negative fractions of a second at nanosecond - resolution. Negative second values with fractions must - still have non-negative nanos values that count forward - in time. Must be from 0 to 999,999,999 inclusive. This - field may be limited in precision depending on context. + description: |- + Non-negative fractions of a second at nanosecond resolution. Negative + second values with fractions must still have non-negative nanos values + that count forward in time. Must be from 0 to 999,999,999 + inclusive. This field may be limited in precision depending on context. format: int32 type: integer seconds: - description: Represents seconds of UTC time since Unix epoch - 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z - to 9999-12-31T23:59:59Z inclusive. + description: |- + Represents seconds of UTC time since Unix epoch + 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to + 9999-12-31T23:59:59Z inclusive. format: int64 type: integer required: diff --git a/config/crds/kyverno.io_clusterbackgroundscanreports.yaml b/config/crds/kyverno.io_clusterbackgroundscanreports.yaml index 1b1c81306c3a..26c3a71e91c2 100644 --- a/config/crds/kyverno.io_clusterbackgroundscanreports.yaml +++ b/config/crds/kyverno.io_clusterbackgroundscanreports.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: clusterbackgroundscanreports.kyverno.io spec: group: kyverno.io @@ -57,14 +57,19 @@ spec: API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -93,35 +98,35 @@ spec: the policy rule type: object resourceSelector: - description: SubjectSelector is an optional label selector for - checked Kubernetes resources. For example, a policy result - may apply to all pods that match a label. Either a Subject - or a SubjectSelector can be specified. If neither are provided, - the result is assumed to be for the policy report scope. + description: |- + SubjectSelector is an optional label selector for checked Kubernetes resources. + For example, a policy result may apply to all pods that match a label. + Either a Subject or a SubjectSelector can be specified. + If neither are provided, the result is assumed to be for the policy report scope. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. - If the operator is In or NotIn, the values array - must be non-empty. If the operator is Exists or - DoesNotExist, the values array must be empty. This - array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -133,11 +138,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -145,66 +149,63 @@ spec: description: Subjects is an optional reference to the checked Kubernetes resources items: - description: "ObjectReference contains enough information - to let you inspect or modify the referred object. --- New - uses of this type are discouraged because of difficulty - describing its usage when embedded in APIs. 1. Ignored fields. - \ It includes many fields which are not generally honored. - \ For instance, ResourceVersion and FieldPath are both very - rarely valid in actual usage. 2. Invalid usage help. It - is impossible to add specific help for individual usage. - \ In most embedded usages, there are particular restrictions - like, \"must refer only to types A and B\" or \"UID not - honored\" or \"name must be restricted\". Those cannot be - well described when embedded. 3. Inconsistent validation. - \ Because the usages are different, the validation rules - are different by usage, which makes it hard for users to - predict what will happen. 4. The fields are both imprecise - and overly precise. Kind is not a precise mapping to a - URL. This can produce ambiguity during interpretation and - require a REST mapping. In most cases, the dependency is - on the group,resource tuple and the version of the actual - struct is irrelevant. 5. We cannot easily change it. Because - this type is embedded in many locations, updates to this - type will affect numerous schemas. Don't make new APIs - embed an underspecified API type they do not control. \n - Instead of using this type, create a locally provided and - used type that is well-focused on your reference. For example, - ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 - ." + description: |- + ObjectReference contains enough information to let you inspect or modify the referred object. + --- + New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. + 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. + 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular + restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". + Those cannot be well described when embedded. + 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. + 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity + during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple + and the version of the actual struct is irrelevant. + 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type + will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control. + + + Instead of using this type, create a locally provided and used type that is well-focused on your reference. + For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 . properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead - of an entire object, this string should contain a valid - JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container - within a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that - triggered the event) or if no container name is specified - "spec.containers[2]" (container with index 2 in this - pod). This syntax is chosen only to have some well-defined - way of referencing a part of an object. TODO: this design - is not final and this field is subject to change in - the future.' + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + TODO: this design is not final and this field is subject to change in the future. type: string kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ type: string resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency type: string uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids type: string type: object x-kubernetes-map-type: atomic @@ -243,17 +244,18 @@ spec: description: Timestamp indicates the time the result was found properties: nanos: - description: Non-negative fractions of a second at nanosecond - resolution. Negative second values with fractions must - still have non-negative nanos values that count forward - in time. Must be from 0 to 999,999,999 inclusive. This - field may be limited in precision depending on context. + description: |- + Non-negative fractions of a second at nanosecond resolution. Negative + second values with fractions must still have non-negative nanos values + that count forward in time. Must be from 0 to 999,999,999 + inclusive. This field may be limited in precision depending on context. format: int32 type: integer seconds: - description: Represents seconds of UTC time since Unix epoch - 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z - to 9999-12-31T23:59:59Z inclusive. + description: |- + Represents seconds of UTC time since Unix epoch + 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to + 9999-12-31T23:59:59Z inclusive. format: int64 type: integer required: diff --git a/config/crds/kyverno.io_clustercleanuppolicies.yaml b/config/crds/kyverno.io_clustercleanuppolicies.yaml index f36f32c4f7cf..55bcee3d0874 100644 --- a/config/crds/kyverno.io_clustercleanuppolicies.yaml +++ b/config/crds/kyverno.io_clustercleanuppolicies.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: clustercleanuppolicies.kyverno.io spec: group: kyverno.io @@ -32,14 +32,19 @@ spec: description: ClusterCleanupPolicy defines rule for resource cleanup. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -51,10 +56,11 @@ spec: resources which will be cleaned up. properties: all: - description: AllConditions enable variable-based conditional rule - execution. This is useful for finer control of when an rule - is applied. A condition can reference object data using JMESPath - notation. Here, all of the conditions need to pass. + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass. items: properties: key: @@ -65,11 +71,11 @@ spec: description: Message is an optional display message type: string operator: - description: 'Operator is the conditional operation to perform. - Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -87,17 +93,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, or set of values. - The values can be fixed set or can be variables declared - using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based conditional rule - execution. This is useful for finer control of when an rule - is applied. A condition can reference object data using JMESPath - notation. Here, at least one of the conditions need to pass. + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass. items: properties: key: @@ -108,11 +115,11 @@ spec: description: Message is an optional display message type: string operator: - description: 'Operator is the conditional operation to perform. - Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -130,9 +137,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, or set of values. - The values can be fixed set or can be variables declared - using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -141,13 +148,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data sources to a rule - Context. Either a ConfigMap reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the Kubernetes API - server, or other JSON web service. The data returned is stored - in the context with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data sent to the server. @@ -167,12 +175,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the JSON response returned - from the server. For example a JMESPath of "items | length(@)" - applied to the API server response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across all - namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -185,22 +193,24 @@ spec: description: Service is an API call to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded CA bundle which - will be used to validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web service URL. A typical - form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to be used in the HTTP - GET or POST request to the Kubernetes API server (e.g. - "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used by the `kubectl - get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -217,8 +227,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests to an OCI/Docker - V2 registry to fetch image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials provides credentials @@ -229,9 +240,9 @@ spec: to a registry. type: boolean providers: - description: 'Providers specifies a list of OCI Registry - names, whose authentication providers are provided. - It can be of one of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers required. @@ -244,21 +255,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets that - are provided for credentials. Secrets must live in - the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the ImageData struct returned - as a result of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference to a container - image in the registry. Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -271,13 +284,14 @@ spec: variable that can be defined inline. properties: default: - description: Default is an optional arbitrary JSON object - that the variable may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath Expression - that can be used to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON object representable @@ -287,10 +301,10 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when cleanuppolicy should not - be applied. The exclude criteria can include resource information - (e.g. kind, name, namespace, labels) and admission review request - information like the name or role. + description: |- + ExcludeResources defines when cleanuppolicy should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. properties: all: description: All allows specifying resources which will be ANDed @@ -311,11 +325,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -323,52 +336,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -380,19 +390,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -412,38 +420,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -455,12 +460,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -475,32 +478,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -529,11 +528,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -541,52 +539,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -598,19 +593,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -630,38 +623,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -673,12 +663,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -693,32 +681,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -730,10 +714,11 @@ spec: type: array type: object match: - description: MatchResources defines when cleanuppolicy should be applied. - The match criteria can include resource information (e.g. kind, - name, namespace, labels) and admission review request information - like the user name or role. At least one kind is required. + description: |- + MatchResources defines when cleanuppolicy should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. + At least one kind is required. properties: all: description: All allows specifying resources which will be ANDed @@ -754,11 +739,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -766,52 +750,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -823,19 +804,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -855,38 +834,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -898,12 +874,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -918,32 +892,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -972,11 +942,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -984,52 +953,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1041,19 +1007,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -1073,38 +1037,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1116,12 +1077,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -1136,32 +1095,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -1184,42 +1139,42 @@ spec: conditions: items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -1233,11 +1188,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -1273,14 +1229,19 @@ spec: description: ClusterCleanupPolicy defines rule for resource cleanup. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -1292,10 +1253,11 @@ spec: resources which will be cleaned up. properties: all: - description: AllConditions enable variable-based conditional rule - execution. This is useful for finer control of when an rule - is applied. A condition can reference object data using JMESPath - notation. Here, all of the conditions need to pass. + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass. items: properties: key: @@ -1306,11 +1268,11 @@ spec: description: Message is an optional display message type: string operator: - description: 'Operator is the conditional operation to perform. - Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -1328,17 +1290,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, or set of values. - The values can be fixed set or can be variables declared - using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based conditional rule - execution. This is useful for finer control of when an rule - is applied. A condition can reference object data using JMESPath - notation. Here, at least one of the conditions need to pass. + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass. items: properties: key: @@ -1349,11 +1312,11 @@ spec: description: Message is an optional display message type: string operator: - description: 'Operator is the conditional operation to perform. - Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -1371,9 +1334,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, or set of values. - The values can be fixed set or can be variables declared - using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -1382,13 +1345,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data sources to a rule - Context. Either a ConfigMap reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the Kubernetes API - server, or other JSON web service. The data returned is stored - in the context with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data sent to the server. @@ -1408,12 +1372,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the JSON response returned - from the server. For example a JMESPath of "items | length(@)" - applied to the API server response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across all - namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -1426,22 +1390,24 @@ spec: description: Service is an API call to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded CA bundle which - will be used to validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web service URL. A typical - form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to be used in the HTTP - GET or POST request to the Kubernetes API server (e.g. - "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used by the `kubectl - get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -1458,8 +1424,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests to an OCI/Docker - V2 registry to fetch image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials provides credentials @@ -1470,9 +1437,9 @@ spec: to a registry. type: boolean providers: - description: 'Providers specifies a list of OCI Registry - names, whose authentication providers are provided. - It can be of one of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers required. @@ -1485,21 +1452,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets that - are provided for credentials. Secrets must live in - the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the ImageData struct returned - as a result of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference to a container - image in the registry. Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -1512,13 +1481,14 @@ spec: variable that can be defined inline. properties: default: - description: Default is an optional arbitrary JSON object - that the variable may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath Expression - that can be used to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON object representable @@ -1528,10 +1498,10 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when cleanuppolicy should not - be applied. The exclude criteria can include resource information - (e.g. kind, name, namespace, labels) and admission review request - information like the name or role. + description: |- + ExcludeResources defines when cleanuppolicy should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. properties: all: description: All allows specifying resources which will be ANDed @@ -1552,11 +1522,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -1564,52 +1533,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1621,19 +1587,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -1653,38 +1617,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1696,12 +1657,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -1716,32 +1675,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -1770,11 +1725,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -1782,52 +1736,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1839,19 +1790,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -1871,38 +1820,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1914,12 +1860,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -1934,32 +1878,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -1971,10 +1911,11 @@ spec: type: array type: object match: - description: MatchResources defines when cleanuppolicy should be applied. - The match criteria can include resource information (e.g. kind, - name, namespace, labels) and admission review request information - like the user name or role. At least one kind is required. + description: |- + MatchResources defines when cleanuppolicy should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. + At least one kind is required. properties: all: description: All allows specifying resources which will be ANDed @@ -1995,11 +1936,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -2007,52 +1947,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -2064,19 +2001,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -2096,38 +2031,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -2139,12 +2071,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -2159,32 +2089,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -2213,11 +2139,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -2225,52 +2150,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -2282,19 +2204,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -2314,38 +2234,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -2357,12 +2274,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -2377,32 +2292,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -2425,42 +2336,42 @@ spec: conditions: items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -2474,11 +2385,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/config/crds/kyverno.io_clusterpolicies.yaml b/config/crds/kyverno.io_clusterpolicies.yaml index 0502e00a1842..9c3308bd6a30 100644 --- a/config/crds/kyverno.io_clusterpolicies.yaml +++ b/config/crds/kyverno.io_clusterpolicies.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: clusterpolicies.kyverno.io spec: group: kyverno.io @@ -64,14 +64,19 @@ spec: for matching resources. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -80,95 +85,99 @@ spec: properties: admission: default: true - description: Admission controls if rules are applied during admission. + description: |- + Admission controls if rules are applied during admission. Optional. Default value is "true". type: boolean applyRules: - description: ApplyRules controls how rules in a policy are applied. - Rule are processed in the order of declaration. When set to `One` - processing stops after a rule has been applied i.e. the rule matches - and results in a pass, fail, or error. When set to `All` all rules - in the policy are processed. The default is `All`. + description: |- + ApplyRules controls how rules in a policy are applied. Rule are processed in + the order of declaration. When set to `One` processing stops after a rule has + been applied i.e. the rule matches and results in a pass, fail, or error. When + set to `All` all rules in the policy are processed. The default is `All`. enum: - All - One type: string background: default: true - description: Background controls if rules are applied to existing - resources during a background scan. Optional. Default value is "true". - The value must be set to "false" if the policy rule uses variables - that are only available in the admission review request (e.g. user - name). + description: |- + Background controls if rules are applied to existing resources during a background scan. + Optional. Default value is "true". The value must be set to "false" if the policy rule + uses variables that are only available in the admission review request (e.g. user name). type: boolean failurePolicy: - description: FailurePolicy defines how unexpected policy errors and - webhook response timeout errors are handled. Rules within the same - policy share the same failure behavior. This field should not be - accessed directly, instead `GetFailurePolicy()` should be used. + description: |- + FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. + Rules within the same policy share the same failure behavior. + This field should not be accessed directly, instead `GetFailurePolicy()` should be used. Allowed values are Ignore or Fail. Defaults to Fail. enum: - Ignore - Fail type: string generateExisting: - description: GenerateExisting controls whether to trigger generate - rule in existing resources If is set to "true" generate rule will - be triggered and applied to existing matched resources. Defaults - to "false" if not specified. + description: |- + GenerateExisting controls whether to trigger generate rule in existing resources + If is set to "true" generate rule will be triggered and applied to existing matched resources. + Defaults to "false" if not specified. type: boolean generateExistingOnPolicyUpdate: description: Deprecated, use generateExisting instead type: boolean mutateExistingOnPolicyUpdate: - description: MutateExistingOnPolicyUpdate controls if a mutateExisting - policy is applied on policy events. Default value is "false". + description: |- + MutateExistingOnPolicyUpdate controls if a mutateExisting policy is applied on policy events. + Default value is "false". type: boolean rules: - description: Rules is a list of Rule instances. A Policy contains - multiple rules and each rule can validate, mutate, or generate resources. + description: |- + Rules is a list of Rule instances. A Policy contains multiple rules and + each rule can validate, mutate, or generate resources. items: - description: Rule defines a validation, mutation, or generation - control for matching resources. Each rules contains a match declaration - to select resources, and an optional exclude declaration to specify - which resources to exclude. + description: |- + Rule defines a validation, mutation, or generation control for matching resources. + Each rules contains a match declaration to select resources, and an optional exclude + declaration to specify which resources to exclude. properties: celPreconditions: - description: CELPreconditions are used to determine if a policy - rule should be applied by evaluating a set of CEL conditions. - It can only be used with the validate.cel subrule + description: |- + CELPreconditions are used to determine if a policy rule should be applied by evaluating a + set of CEL conditions. It can only be used with the validate.cel subrule items: description: MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook. properties: expression: - description: "Expression represents the expression which - will be evaluated by CEL. Must evaluate to bool. CEL - expressions have access to the contents of the AdmissionRequest - and Authorizer, organized into CEL variables: \n 'object' - - The object from the incoming request. The value is - null for DELETE requests. 'oldObject' - The existing - object. The value is null for CREATE requests. 'request' - - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). - 'authorizer' - A CEL Authorizer. May be used to perform - authorization checks for the principal (user or service - account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - 'authorizer.requestResource' - A CEL ResourceCheck constructed - from the 'authorizer' and configured with the request - resource. Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ - \n Required." + description: |- + Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. + CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: + + + 'object' - The object from the incoming request. The value is null for DELETE requests. + 'oldObject' - The existing object. The value is null for CREATE requests. + 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. + See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the + request resource. + Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ + + + Required. type: string name: - description: "Name is an identifier for this match condition, - used for strategic merging of MatchConditions, as well - as providing an identifier for logging purposes. A good - name should be descriptive of the associated expression. - Name must be a qualified name consisting of alphanumeric - characters, '-', '_' or '.', and must start and end - with an alphanumeric character (e.g. 'MyName', or 'my.name', - \ or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') - with an optional DNS subdomain prefix and '/' (e.g. - 'example.com/MyName') \n Required." + description: |- + Name is an identifier for this match condition, used for strategic merging of MatchConditions, + as well as providing an identifier for logging purposes. A good name should be descriptive of + the associated expression. + Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and + must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or + '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an + optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') + + + Required. type: string required: - expression @@ -179,15 +188,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data sources - to a rule Context. Either a ConfigMap reference or a APILookup - must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the Kubernetes - API server, or other JSON web service. The data returned - is stored in the context with the name for the context - entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data sent to @@ -209,13 +217,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the JSON response - returned from the server. For example a JMESPath - of "items | length(@)" applied to the API server - response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across - all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -230,22 +237,24 @@ spec: service properties: caBundle: - description: CABundle is a PEM encoded CA bundle - which will be used to validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web service URL. - A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to be used in - the HTTP GET or POST request to the Kubernetes API - server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used by the - `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -262,8 +271,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests to an OCI/Docker - V2 registry to fetch image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials provides credentials @@ -274,10 +284,9 @@ spec: access to a registry. type: boolean providers: - description: 'Providers specifies a list of OCI - Registry names, whose authentication providers - are provided. It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers @@ -291,21 +300,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets - that are provided for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the ImageData struct - returned as a result of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference to a container - image in the registry. Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -318,13 +329,14 @@ spec: variable that can be defined inline. properties: default: - description: Default is an optional arbitrary JSON - object that the variable may take if the JMESPath + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath Expression - that can be used to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON object representable @@ -334,10 +346,10 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when this policy rule - should not be applied. The exclude criteria can include resource - information (e.g. kind, name, namespace, labels) and admission - review request information like the name or role. + description: |- + ExcludeResources defines when this policy rule should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. properties: all: description: All allows specifying resources which will @@ -359,11 +371,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -371,58 +382,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -435,20 +437,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -468,42 +467,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -516,12 +508,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -536,32 +526,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -592,11 +577,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -604,58 +588,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -668,20 +643,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -701,42 +673,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -749,12 +714,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -769,32 +732,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -812,20 +770,19 @@ spec: type: string type: array resources: - description: ResourceDescription contains information about - the resource being created or modified. Requires at least - one tag to be specified when under MatchResources. Specifying - ResourceDescription directly under match is being deprecated. + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. Please specify under "any" or "all" instead. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -833,52 +790,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -890,19 +844,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -922,38 +874,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -965,12 +914,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -985,32 +932,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -1026,10 +969,10 @@ spec: description: APIVersion specifies resource apiVersion. type: string clone: - description: Clone specifies the source resource used to - populate each generated resource. At most one of Data - or Clone can be specified. If neither are provided, the - generated resource will be created with default data only. + description: |- + Clone specifies the source resource used to populate each generated resource. + At most one of Data or Clone can be specified. If neither are provided, the generated + resource will be created with default data only. properties: name: description: Name specifies name of the resource. @@ -1051,34 +994,33 @@ spec: description: Namespace specifies source resource namespace. type: string selector: - description: Selector is a label selector. Label keys - and values in `matchLabels`. wildcard characters are - not supported. + description: |- + Selector is a label selector. Label keys and values in `matchLabels`. + wildcard characters are not supported. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1090,21 +1032,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object data: - description: Data provides the resource declaration used - to populate each generated resource. At most one of Data - or Clone must be specified. If neither are provided, the - generated resource will be created with default data only. + description: |- + Data provides the resource declaration used to populate each generated resource. + At most one of Data or Clone must be specified. If neither are provided, the generated + resource will be created with default data only. x-kubernetes-preserve-unknown-fields: true kind: description: Kind specifies resource kind. @@ -1116,12 +1056,11 @@ spec: description: Namespace specifies resource namespace. type: string synchronize: - description: Synchronize controls if generated resources - should be kept in-sync with their source resource. If - Synchronize is set to "true" changes to generated resources - will be overwritten with resource data from Data or the - resource specified in the Clone declaration. Optional. - Defaults to "false" if not specified. + description: |- + Synchronize controls if generated resources should be kept in-sync with their source resource. + If Synchronize is set to "true" changes to generated resources will be overwritten with resource + data from Data or the resource specified in the Clone declaration. + Optional. Defaults to "false" if not specified. type: boolean uid: description: UID specifies the resource uid. @@ -1132,50 +1071,47 @@ spec: items: properties: jmesPath: - description: 'JMESPath is an optional JMESPath expression - to apply to the image value. This is useful when the - extracted image begins with a prefix like ''docker://''. - The ''trim_prefix'' function may be used to trim the - prefix: trim_prefix(@, ''docker://''). Note - Image - digest mutation may not be used when applying a JMESPAth - to an image.' + description: |- + JMESPath is an optional JMESPath expression to apply to the image value. + This is useful when the extracted image begins with a prefix like 'docker://'. + The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://'). + Note - Image digest mutation may not be used when applying a JMESPAth to an image. type: string key: - description: Key is an optional name of the field within - 'path' that will be used to uniquely identify an image. + description: |- + Key is an optional name of the field within 'path' that will be used to uniquely identify an image. Note - this field MUST be unique. type: string name: - description: Name is the entry the image will be available - under 'images.' in the context. If this field - is not defined, image entries will appear under 'images.custom'. + description: |- + Name is the entry the image will be available under 'images.' in the context. + If this field is not defined, image entries will appear under 'images.custom'. type: string path: - description: Path is the path to the object containing - the image field in a custom resource. It should be - slash-separated. Each slash-separated key must be - a valid YAML key or a wildcard '*'. Wildcard keys - are expanded in case of arrays or objects. + description: |- + Path is the path to the object containing the image field in a custom resource. + It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'. + Wildcard keys are expanded in case of arrays or objects. type: string value: - description: Value is an optional name of the field - within 'path' that points to the image URI. This is - useful when a custom 'key' is also defined. + description: |- + Value is an optional name of the field within 'path' that points to the image URI. + This is useful when a custom 'key' is also defined. type: string required: - path type: object type: array - description: ImageExtractors defines a mapping from kinds to - ImageExtractorConfigs. This config is only valid for verifyImages - rules. + description: |- + ImageExtractors defines a mapping from kinds to ImageExtractorConfigs. + This config is only valid for verifyImages rules. type: object match: - description: MatchResources defines when this policy rule should - be applied. The match criteria can include resource information - (e.g. kind, name, namespace, labels) and admission review - request information like the user name or role. At least one - kind is required. + description: |- + MatchResources defines when this policy rule should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. + At least one kind is required. properties: all: description: All allows specifying resources which will @@ -1197,11 +1133,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -1209,58 +1144,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -1273,20 +1199,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -1306,42 +1229,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -1354,12 +1270,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -1374,32 +1288,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -1430,11 +1339,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -1442,58 +1350,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -1506,20 +1405,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -1539,42 +1435,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -1587,12 +1476,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -1607,32 +1494,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -1650,20 +1532,19 @@ spec: type: string type: array resources: - description: ResourceDescription contains information about - the resource being created or modified. Requires at least - one tag to be specified when under MatchResources. Specifying - ResourceDescription directly under match is being deprecated. + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. Please specify under "any" or "all" instead. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -1671,52 +1552,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1728,19 +1606,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -1760,38 +1636,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1803,12 +1676,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -1823,32 +1694,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -1874,15 +1741,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data @@ -1904,14 +1770,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -1926,25 +1790,24 @@ spec: JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate the server certificate. type: string url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -1962,8 +1825,8 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. properties: imageRegistryCredentials: @@ -1976,11 +1839,9 @@ spec: insecure access to a registry. type: boolean providers: - description: 'Providers specifies a - list of OCI Registry names, whose - authentication providers are provided. - It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -1994,23 +1855,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list - of secrets that are provided for credentials. + description: |- + Secrets specifies a list of secrets that are provided for credentials. Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -2023,15 +1884,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON @@ -2044,42 +1904,41 @@ spec: description: Foreach declares a nested foreach iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which the - validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string order: - description: Order defines the iteration order on - the list. Can be Ascending to iterate from first - to last element or Descending to iterate in from - last to first element. + description: |- + Order defines the iteration order on the list. + Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element. enum: - Ascending - Descending type: string patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge - patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 - JSON Patch declarations used to modify resources. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, all of the conditions need to - pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -2093,13 +1952,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -2119,20 +1976,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, at least one of the conditions - need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -2146,13 +2001,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -2172,10 +2025,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -2184,14 +2036,15 @@ spec: type: object type: array patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge patch - used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON - Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string targets: description: Targets defines the target resources to be @@ -2207,15 +2060,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data @@ -2237,14 +2089,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -2259,25 +2109,24 @@ spec: JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate the server certificate. type: string url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -2295,8 +2144,8 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. properties: imageRegistryCredentials: @@ -2309,11 +2158,9 @@ spec: insecure access to a registry. type: boolean providers: - description: 'Providers specifies a - list of OCI Registry names, whose - authentication providers are provided. - It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -2327,23 +2174,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list - of secrets that are provided for credentials. + description: |- + Secrets specifies a list of secrets that are provided for credentials. Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -2356,15 +2203,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON @@ -2383,13 +2229,12 @@ spec: description: Namespace specifies resource namespace. type: string preconditions: - description: 'Preconditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. A direct list - of conditions (without `any` or `all` statements - is supported for backwards compatibility but will - be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true uid: description: UID specifies the resource uid. @@ -2403,27 +2248,32 @@ spec: maxLength: 63 type: string preconditions: - description: 'Preconditions are used to determine if a policy - rule should be applied by evaluating a set of conditions. - The declaration can contain nested `any` or `all` statements. - A direct list of conditions (without `any` or `all` statements - is supported for backwards compatibility but will be deprecated - in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true skipBackgroundRequests: default: true - description: SkipBackgroundRequests bypasses admission requests - that are sent by the background controller. The default value - is set to "true", it must be set to "false" to apply generate - and mutateExisting rules to those requests. + description: |- + SkipBackgroundRequests bypasses admission requests that are sent by the background controller. + The default value is set to "true", it must be set to "false" to apply + generate and mutateExisting rules to those requests. type: boolean validate: description: Validation is used to validate matching resources. properties: + allowExistingViolations: + default: true + description: AllowExistingViolations allows prexisting violating + resources to continue violating a policy. + type: boolean anyPattern: - description: AnyPattern specifies list of validation patterns. - At least one of the patterns must be satisfied for the - validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true cel: description: CEL allows validation checks using the Common @@ -2438,39 +2288,45 @@ spec: an audit annotation for an API request. properties: key: - description: "key specifies the audit annotation - key. The audit annotation keys of a ValidatingAdmissionPolicy - must be unique. The key must be a qualified - name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than - 63 bytes in length. \n The key is combined with - the resource name of the ValidatingAdmissionPolicy - to construct an audit annotation key: \"{ValidatingAdmissionPolicy - name}/{key}\". \n If an admission webhook uses - the same resource name as this ValidatingAdmissionPolicy - and the same audit annotation key, the annotation - key will be identical. In this case, the first - annotation written with the key will be included - in the audit event and all subsequent annotations - with the same key will be discarded. \n Required." + description: |- + key specifies the audit annotation key. The audit annotation keys of + a ValidatingAdmissionPolicy must be unique. The key must be a qualified + name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length. + + + The key is combined with the resource name of the + ValidatingAdmissionPolicy to construct an audit annotation key: + "{ValidatingAdmissionPolicy name}/{key}". + + + If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy + and the same audit annotation key, the annotation key will be identical. + In this case, the first annotation written with the key will be included + in the audit event and all subsequent annotations with the same key + will be discarded. + + + Required. type: string valueExpression: - description: "valueExpression represents the expression - which is evaluated by CEL to produce an audit - annotation value. The expression must evaluate - to either a string or null value. If the expression - evaluates to a string, the audit annotation - is included with the string value. If the expression - evaluates to null or empty string the audit - annotation will be omitted. The valueExpression - may be no longer than 5kb in length. If the - result of the valueExpression is more than 10kb - in length, it will be truncated to 10kb. \n - If multiple ValidatingAdmissionPolicyBinding - resources match an API request, then the valueExpression - will be evaluated for each binding. All unique - values produced by the valueExpressions will - be joined together in a comma-separated list. - \n Required." + description: |- + valueExpression represents the expression which is evaluated by CEL to + produce an audit annotation value. The expression must evaluate to either + a string or null value. If the expression evaluates to a string, the + audit annotation is included with the string value. If the expression + evaluates to null or empty string the audit annotation will be omitted. + The valueExpression may be no longer than 5kb in length. + If the result of the valueExpression is more than 10kb in length, it + will be truncated to 10kb. + + + If multiple ValidatingAdmissionPolicyBinding resources match an + API request, then the valueExpression will be evaluated for + each binding. All unique values produced by the valueExpressions + will be joined together in a comma-separated list. + + + Required. type: string required: - key @@ -2486,113 +2342,99 @@ spec: properties: expression: description: "Expression represents the expression - which will be evaluated by CEL. ref: https://github.com/google/cel-spec - CEL expressions have access to the contents - of the API request/response, organized into - CEL variables as well as some other useful variables: - \n - 'object' - The object from the incoming - request. The value is null for DELETE requests. - - 'oldObject' - The existing object. The value - is null for CREATE requests. - 'request' - Attributes - of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - - 'params' - Parameter resource referred to - by the policy binding being evaluated. Only - populated if the policy has a ParamKind. - 'namespaceObject' + which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL + expressions have access to the contents of the + API request/response, organized into CEL variables + as well as some other useful variables:\n\n\n- + 'object' - The object from the incoming request. + The value is null for DELETE requests.\n- 'oldObject' + - The existing object. The value is null for + CREATE requests.\n- 'request' - Attributes of + the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- + 'params' - Parameter resource referred to by + the policy binding being evaluated. Only populated + if the policy has a ParamKind.\n- 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped - resources. - 'variables' - Map of composited + resources.\n- 'variables' - Map of composited variables, from its name to its lazily evaluated - value. For example, a variable named 'foo' can - be accessed as 'variables.foo'. - 'authorizer' + value.\n For example, a variable named 'foo' + can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) - of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - - 'authorizer.requestResource' - A CEL ResourceCheck + of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured - with the request resource. \n The `apiVersion`, + with the\n request resource.\n\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` - are always accessible from the root of the object. - No other metadata properties are accessible. - \n Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` - are accessible. Accessible property names are + are always accessible from the root of the\nobject. + No other metadata properties are accessible.\n\n\nOnly + property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` + are accessible.\nAccessible property names are escaped according to the following rules when - accessed in the expression: - '__' escapes to - '__underscores__' - '.' escapes to '__dot__' - - '-' escapes to '__dash__' - '/' escapes to - '__slash__' - Property names that exactly match + accessed in the expression:\n- '__' escapes + to '__underscores__'\n- '.' escapes to '__dot__'\n- + '-' escapes to '__dash__'\n- '/' escapes to + '__slash__'\n- Property names that exactly match a CEL RESERVED keyword escape to '__{keyword}__'. - The keywords are: \"true\", \"false\", \"null\", - \"in\", \"as\", \"break\", \"const\", \"continue\", - \"else\", \"for\", \"function\", \"if\", \"import\", - \"let\", \"loop\", \"package\", \"namespace\", - \"return\". Examples: - Expression accessing - a property named \"namespace\": {\"Expression\": - \"object.__namespace__ > 0\"} - Expression accessing - a property named \"x-prop\": {\"Expression\": - \"object.x__dash__prop > 0\"} - Expression accessing - a property named \"redact__d\": {\"Expression\": - \"object.redact__underscores__d > 0\"} \n Equality - on arrays with list type of 'set' or 'map' ignores - element order, i.e. [1, 2] == [2, 1]. Concatenation - on arrays with x-kubernetes-list-type use the - semantics of the list type: - 'set': `X + Y` - performs a union where the array positions of - all elements in `X` are preserved and non-intersecting + The keywords are:\n\t \"true\", \"false\", + \"null\", \"in\", \"as\", \"break\", \"const\", + \"continue\", \"else\", \"for\", \"function\", + \"if\",\n\t \"import\", \"let\", \"loop\", + \"package\", \"namespace\", \"return\".\nExamples:\n + \ - Expression accessing a property named \"namespace\": + {\"Expression\": \"object.__namespace__ > 0\"}\n + \ - Expression accessing a property named \"x-prop\": + {\"Expression\": \"object.x__dash__prop > 0\"}\n + \ - Expression accessing a property named \"redact__d\": + {\"Expression\": \"object.redact__underscores__d + > 0\"}\n\n\nEquality on arrays with list type + of 'set' or 'map' ignores element order, i.e. + [1, 2] == [2, 1].\nConcatenation on arrays with + x-kubernetes-list-type use the semantics of + the list type:\n - 'set': `X + Y` performs + a union where the array positions of all elements + in `X` are preserved and\n non-intersecting elements in `Y` are appended, retaining their - partial order. - 'map': `X + Y` performs a merge - where the array positions of all keys in `X` - are preserved but the values are overwritten - by values in `Y` when the key sets of `X` and - `Y` intersect. Elements in `Y` with non-intersecting - keys are appended, retaining their partial order. - Required." + partial order.\n - 'map': `X + Y` performs + a merge where the array positions of all keys + in `X` are preserved but the values\n are + overwritten by values in `Y` when the key sets + of `X` and `Y` intersect. Elements in `Y` with\n + \ non-intersecting keys are appended, retaining + their partial order.\nRequired." type: string message: - description: 'Message represents the message displayed - when validation fails. The message is required - if the Expression contains line breaks. The - message must not contain line breaks. If unset, - the message is "failed rule: {Rule}". e.g. "must - be a URL with the host matching spec.host" If - the Expression contains line breaks. Message - is required. The message must not contain line - breaks. If unset, the message is "failed Expression: - {Expression}".' + description: |- + Message represents the message displayed when validation fails. The message is required if the Expression contains + line breaks. The message must not contain line breaks. + If unset, the message is "failed rule: {Rule}". + e.g. "must be a URL with the host matching spec.host" + If the Expression contains line breaks. Message is required. + The message must not contain line breaks. + If unset, the message is "failed Expression: {Expression}". type: string messageExpression: - description: 'messageExpression declares a CEL - expression that evaluates to the validation - failure message that is returned when this rule - fails. Since messageExpression is used as a - failure message, it must evaluate to a string. - If both message and messageExpression are present - on a validation, then messageExpression will - be used if validation fails. If messageExpression - results in a runtime error, the runtime error - is logged, and the validation failure message - is produced as if the messageExpression field - were unset. If messageExpression evaluates to - an empty string, a string with only spaces, - or a string that contains line breaks, then - the validation failure message will also be - produced as if the messageExpression field were - unset, and the fact that messageExpression produced - an empty string/string with only spaces/string - with line breaks will be logged. messageExpression - has access to all the same variables as the - `expression` except for ''authorizer'' and ''authorizer.requestResource''. - Example: "object.x must be less than max ("+string(params.max)+")"' + description: |- + messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. + Since messageExpression is used as a failure message, it must evaluate to a string. + If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. + If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced + as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string + that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and + the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. + messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'. + Example: + "object.x must be less than max ("+string(params.max)+")" type: string reason: - description: 'Reason represents a machine-readable - description of why this validation failed. If - this is the first validation in the list to - fail, this reason, as well as the corresponding - HTTP response code, are used in the HTTP response - to the client. The currently supported reasons - are: "Unauthorized", "Forbidden", "Invalid", - "RequestEntityTooLarge". If not set, StatusReasonInvalid - is used in the response to the client.' + description: |- + Reason represents a machine-readable description of why this validation failed. + If this is the first validation in the list to fail, this reason, as well as the + corresponding HTTP response code, are used in the + HTTP response to the client. + The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge". + If not set, StatusReasonInvalid is used in the response to the client. type: string required: - expression @@ -2603,13 +2445,15 @@ spec: Version. properties: apiVersion: - description: APIVersion is the API group version - the resources belong to. In format of "group/version". + description: |- + APIVersion is the API group version the resources belong to. + In format of "group/version". Required. type: string kind: - description: Kind is the API kind the resources - belong to. Required. + description: |- + Kind is the API kind the resources belong to. + Required. type: string type: object x-kubernetes-map-type: atomic @@ -2617,77 +2461,82 @@ spec: description: ParamRef references a parameter resource. properties: name: - description: "`name` is the name of the resource - being referenced. \n `name` and `selector` are - mutually exclusive properties. If one is set, - the other must be unset." + description: |- + `name` is the name of the resource being referenced. + + + `name` and `selector` are mutually exclusive properties. If one is set, + the other must be unset. type: string namespace: - description: "namespace is the namespace of the - referenced resource. Allows limiting the search - for params to a specific namespace. Applies to - both `name` and `selector` fields. \n A per-namespace - parameter may be used by specifying a namespace-scoped - `paramKind` in the policy and leaving this field - empty. \n - If `paramKind` is cluster-scoped, - this field MUST be unset. Setting this field results - in a configuration error. \n - If `paramKind` - is namespace-scoped, the namespace of the object - being evaluated for admission will be used when - this field is left unset. Take care that if this - is left empty the binding must not match any cluster-scoped - resources, which will result in an error." + description: |- + namespace is the namespace of the referenced resource. Allows limiting + the search for params to a specific namespace. Applies to both `name` and + `selector` fields. + + + A per-namespace parameter may be used by specifying a namespace-scoped + `paramKind` in the policy and leaving this field empty. + + + - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this + field results in a configuration error. + + + - If `paramKind` is namespace-scoped, the namespace of the object being + evaluated for admission will be used when this field is left unset. Take + care that if this is left empty the binding must not match any cluster-scoped + resources, which will result in an error. type: string parameterNotFoundAction: - description: "`parameterNotFoundAction` controls - the behavior of the binding when the resource - exists, and name or selector is valid, but there - are no parameters matched by the binding. If the - value is set to `Allow`, then no matched parameters - will be treated as successful validation by the - binding. If set to `Deny`, then no matched parameters - will be subject to the `failurePolicy` of the - policy. \n Allowed values are `Allow` or `Deny` - Default to `Deny`" + description: |- + `parameterNotFoundAction` controls the behavior of the binding when the resource + exists, and name or selector is valid, but there are no parameters + matched by the binding. If the value is set to `Allow`, then no + matched parameters will be treated as successful validation by the binding. + If set to `Deny`, then no matched parameters will be subject to the + `failurePolicy` of the policy. + + + Allowed values are `Allow` or `Deny` + Default to `Deny` type: string selector: - description: "selector can be used to match multiple - param objects based on their labels. Supply selector: - {} to match all resources of the ParamKind. \n - If multiple params are found, they are all evaluated - with the policy expressions and the results are - ANDed together. \n One of `name` or `selector` - must be set, but `name` and `selector` are mutually - exclusive properties. If one is set, the other - must be unset." + description: |- + selector can be used to match multiple param objects based on their labels. + Supply selector: {} to match all resources of the ParamKind. + + + If multiple params are found, they are all evaluated with the policy expressions + and the results are ANDed together. + + + One of `name` or `selector` must be set, but `name` and `selector` are + mutually exclusive properties. If one is set, the other must be unset. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -2700,40 +2549,34 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object x-kubernetes-map-type: atomic variables: - description: Variables contain definitions of variables - that can be used in composition of other expressions. + description: |- + Variables contain definitions of variables that can be used in composition of other expressions. Each variable is defined as a named CEL expression. - The variables defined here will be available under - `variables` in other expressions of the policy. + The variables defined here will be available under `variables` in other expressions of the policy. items: description: Variable is the definition of a variable that is used for composition. properties: expression: - description: Expression is the expression that - will be evaluated as the value of the variable. - The CEL expression has access to the same identifiers - as the CEL expressions in Validation. + description: |- + Expression is the expression that will be evaluated as the value of the variable. + The CEL expression has access to the same identifiers as the CEL expressions in Validation. type: string name: - description: Name is the name of the variable. - The name must be a valid CEL identifier and - unique among all variables. The variable can - be accessed in other expressions through `variables` - For example, if name is "foo", the variable - will be available as `variables.foo` + description: |- + Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables. + The variable can be accessed in other expressions through `variables` + For example, if name is "foo", the variable will be available as `variables.foo` type: string required: - expression @@ -2746,11 +2589,11 @@ spec: a validation rule. properties: conditions: - description: 'Multiple conditions can be declared under - an `any` or `all` statement. A direct list of conditions - (without `any` or `all` statements) is also supported - for backwards compatibility but will be deprecated - in the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object foreach: @@ -2764,23 +2607,22 @@ spec: the specified logic. properties: anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must be satisfied - for the validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true context: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data @@ -2802,14 +2644,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -2824,25 +2664,24 @@ spec: JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate the server certificate. type: string url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -2860,8 +2699,8 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. properties: imageRegistryCredentials: @@ -2874,11 +2713,9 @@ spec: insecure access to a registry. type: boolean providers: - description: 'Providers specifies a - list of OCI Registry names, whose - authentication providers are provided. - It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -2892,23 +2729,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list - of secrets that are provided for credentials. + description: |- + Secrets specifies a list of secrets that are provided for credentials. Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -2921,15 +2758,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON @@ -2943,47 +2779,43 @@ spec: or fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct - list of conditions (without `any` or `all` statements) - is also supported for backwards compatibility + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object elementScope: - description: ElementScope specifies whether to use - the current list element as the scope for validation. - Defaults to "true" if not specified. When set to - "false", "request.object" is used as the validation - scope within the foreach block to allow referencing - other elements in the subtree. + description: |- + ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified. + When set to "false", "request.object" is used as the validation scope within the foreach + block to allow referencing other elements in the subtree. type: boolean foreach: description: Foreach declares a nested foreach iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which the - validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string pattern: description: Pattern specifies an overlay-style pattern used to check resources. x-kubernetes-preserve-unknown-fields: true preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, all of the conditions need to - pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -2997,13 +2829,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -3023,20 +2853,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, at least one of the conditions - need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -3050,13 +2878,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -3076,10 +2902,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -3101,31 +2926,25 @@ spec: items: properties: count: - description: Count specifies the required number - of entries that must match. If the count is - null, all entries must match (a logical AND). - If the count is 1, at least one entry must match - (a logical OR). If the count contains a value - N, then N must be less than or equal to the - size of entries, and at least N entries must - match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available attestors. - An attestor can be a static key, attributes - for keyless verification, or a nested attestor - declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for image - verification. Every specified key-value - pair must exist and match in the verified - payload. The payload may contain other - key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set of @@ -3146,19 +2965,14 @@ spec: to verify. type: string ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate Timestamps - (SCTs). If the value is unset, the - default behavior by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate - Timestamp (SCT) log to check for - a certificate timestamp. Default - is false. Set to true if this - was opted out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -3166,33 +2980,25 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the root - CA certificate. Optionally may - contain intermediate CA certificates, - and may contain the leaf TSA certificate - if not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use - for a custom Rekor. If set, this - will be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -3203,8 +3009,8 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: @@ -3215,19 +3021,14 @@ spec: signing. type: object ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate Timestamps - (SCTs). If the value is unset, the - default behavior by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate - Timestamp (SCT) log to check for - a certificate timestamp. Default - is false. Set to true if this - was opted out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -3235,14 +3036,10 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the root - CA certificate. Optionally may - contain intermediate CA certificates, - and may contain the leaf TSA certificate - if not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -3250,22 +3047,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use - for a custom Rekor. If set, this - will be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -3275,10 +3068,9 @@ spec: type: string type: object roots: - description: Roots is an optional set - of PEM encoded trusted root certificates. - If not provided, the system roots - are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -3291,19 +3083,14 @@ spec: public keys. properties: ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate Timestamps - (SCTs). If the value is unset, the - default behavior by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate - Timestamp (SCT) log to check for - a certificate timestamp. Default - is false. Set to true if this - was opted out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -3311,57 +3098,41 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the root - CA certificate. Optionally may - contain intermediate CA certificates, - and may contain the leaf TSA certificate - if not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI to - the public key stored in a Key Management - System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image signatures. - The keys can be directly specified - or can be a variable reference to - a key specified in a ConfigMap (see - https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster by - specifying it in the format "k8s:///". - The named Secret must specify a key - `cosign.pub` containing the public - key used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each - key is processed as a separate staticKey - entry (.attestors[*].entries.keys) - within the set of attestors and the - count is applied across the keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use - for a custom Rekor. If set, this - will be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -3395,12 +3166,9 @@ spec: type: string type: object repository: - description: Repository is an optional alternate - OCI repository to use for signatures and - attestations that match this rule. If - specified Repository will override other - OCI image repository locations for this - Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -3441,9 +3209,9 @@ spec: type: object type: array repository: - description: Repository is an optional alternate OCI - repository to use for resource bundle reference. The - repository can be overridden per Attestor or Attestation. + description: |- + Repository is an optional alternate OCI repository to use for resource bundle reference. + The repository can be overridden per Attestor or Attestation. type: string type: object message: @@ -3455,9 +3223,9 @@ spec: used to check resources. x-kubernetes-preserve-unknown-fields: true podSecurity: - description: PodSecurity applies exemptions for Kubernetes - Pod Security admission by specifying exclusions for Pod - Security Standards controls. + description: |- + PodSecurity applies exemptions for Kubernetes Pod Security admission + by specifying exclusions for Pod Security Standards controls. properties: exclude: description: Exclude specifies the Pod Security Standard @@ -3467,8 +3235,9 @@ spec: Security Standard controls to be excluded. properties: controlName: - description: 'ControlName specifies the name of - the Pod Security Standard control. See: https://kubernetes.io/docs/concepts/security/pod-security-standards/' + description: |- + ControlName specifies the name of the Pod Security Standard control. + See: https://kubernetes.io/docs/concepts/security/pod-security-standards/ enum: - HostProcess - Host Namespaces @@ -3487,13 +3256,11 @@ spec: - Running as Non-root user type: string images: - description: 'Images selects matching containers - and applies the container level PSS. Each image - is the image name consisting of the registry - address, repository, image, and tag. Empty list - matches no containers, PSS checks are applied - at the pod level only. Wildcards (''*'' and - ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' + description: |- + Images selects matching containers and applies the container level PSS. + Each image is the image name consisting of the registry address, repository, image, and tag. + Empty list matches no containers, PSS checks are applied at the pod level only. + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -3502,19 +3269,18 @@ spec: type: object type: array level: - description: Level defines the Pod Security Standard - level to be applied to workloads. Allowed values are - privileged, baseline, and restricted. + description: |- + Level defines the Pod Security Standard level to be applied to workloads. + Allowed values are privileged, baseline, and restricted. enum: - privileged - baseline - restricted type: string version: - description: Version defines the Pod Security Standard - versions that Kubernetes supports. Allowed values - are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, - v1.26, latest. Defaults to latest. + description: |- + Version defines the Pod Security Standard versions that Kubernetes supports. + Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, latest. Defaults to latest. enum: - v1.19 - v1.20 @@ -3532,10 +3298,10 @@ spec: description: VerifyImages is used to verify image signatures and mutate them to add a digest items: - description: ImageVerification validates that images that - match the specified pattern are signed with the supplied - public key. Once the image is verified it is mutated to - include the SHA digest retrieved during the registration. + description: |- + ImageVerification validates that images that match the specified pattern + are signed with the supplied public key. Once the image is verified it is + mutated to include the SHA digest retrieved during the registration. properties: additionalExtensions: additionalProperties: @@ -3549,16 +3315,15 @@ spec: instead. type: object attestations: - description: Attestations are optional checks for signed - in-toto Statements used to verify the image. See https://github.com/in-toto/attestation. - Kyverno fetches signed attestations from the OCI registry - and decodes them into a list of Statement declarations. + description: |- + Attestations are optional checks for signed in-toto Statements used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statement declarations. items: - description: Attestation are checks for signed in-toto - Statements that are used to verify the image. See - https://github.com/in-toto/attestation. Kyverno fetches - signed attestations from the OCI registry and decodes - them into a list of Statements. + description: |- + Attestation are checks for signed in-toto Statements that are used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statements. properties: attestors: description: Attestors specify the required attestors @@ -3566,31 +3331,25 @@ spec: items: properties: count: - description: Count specifies the required - number of entries that must match. If the - count is null, all entries must match (a - logical AND). If the count is 1, at least - one entry must match (a logical OR). If - the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or - a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set @@ -3611,21 +3370,14 @@ spec: used to verify. type: string ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -3633,36 +3385,25 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -3673,9 +3414,9 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless - attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: additionalProperties: @@ -3685,21 +3426,14 @@ spec: for keyless signing. type: object ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -3707,15 +3441,10 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -3723,24 +3452,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -3750,10 +3473,9 @@ spec: type: string type: object roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, - the system roots are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -3766,21 +3488,14 @@ spec: public keys. properties: ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -3788,63 +3503,41 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI - to the public key stored in a - Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable - reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -3880,37 +3573,30 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository - will override other OCI image repository - locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array type: object type: array conditions: - description: Conditions are used to verify attributes - within a Predicate. If no Conditions are specified - the attestation check is satisfied as long there - are predicates that match the predicate type. + description: |- + Conditions are used to verify attributes within a Predicate. If no Conditions are specified + the attestation check is satisfied as long there are predicates that match the predicate type. items: - description: AnyAllConditions consists of conditions - wrapped denoting a logical criteria to be fulfilled. - AnyConditions get fulfilled when at least one - of its sub-conditions passes. AllConditions - get fulfilled only when all of its sub-conditions - pass. + description: |- + AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled. + AnyConditions get fulfilled when at least one of its sub-conditions passes. + AllConditions get fulfilled only when all of its sub-conditions pass. properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -3925,14 +3611,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -3952,20 +3635,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -3980,14 +3661,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -4007,10 +3685,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -4032,29 +3709,25 @@ spec: items: properties: count: - description: Count specifies the required number - of entries that must match. If the count is null, - all entries must match (a logical AND). If the - count is 1, at least one entry must match (a logical - OR). If the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available attestors. - An attestor can be a static key, attributes for - keyless verification, or a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for image - verification. Every specified key-value - pair must exist and match in the verified - payload. The payload may contain other key-value - pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set of Attestor @@ -4075,19 +3748,14 @@ spec: to verify. type: string ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for validation - of Signed Certificate Timestamps (SCTs). - If the value is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate Timestamp - (SCT) log to check for a certificate - timestamp. Default is false. Set - to true if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is used @@ -4095,33 +3763,25 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate chain - file for the RFC3161 timestamp authority. - Must contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use for - a custom Rekor. If set, this will - be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address of @@ -4131,8 +3791,8 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: @@ -4143,19 +3803,14 @@ spec: signing. type: object ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for validation - of Signed Certificate Timestamps (SCTs). - If the value is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate Timestamp - (SCT) log to check for a certificate - timestamp. Default is false. Set - to true if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is used @@ -4163,14 +3818,10 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate chain - file for the RFC3161 timestamp authority. - Must contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -4178,22 +3829,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use for - a custom Rekor. If set, this will - be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address of @@ -4202,10 +3849,9 @@ spec: type: string type: object roots: - description: Roots is an optional set - of PEM encoded trusted root certificates. - If not provided, the system roots are - used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified identity @@ -4218,19 +3864,14 @@ spec: keys. properties: ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for validation - of Signed Certificate Timestamps (SCTs). - If the value is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate Timestamp - (SCT) log to check for a certificate - timestamp. Default is false. Set - to true if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is used @@ -4238,56 +3879,41 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate chain - file for the RFC3161 timestamp authority. - Must contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI to - the public key stored in a Key Management - System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 public - keys used to verify image signatures. - The keys can be directly specified or - can be a variable reference to a key - specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes Secret - elsewhere in the cluster by specifying - it in the format "k8s:///". - The named Secret must specify a key - `cosign.pub` containing the public key - used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each - key is processed as a separate staticKey - entry (.attestors[*].entries.keys) within - the set of attestors and the count is - applied across the keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use for - a custom Rekor. If set, this will - be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address of @@ -4320,11 +3946,9 @@ spec: type: string type: object repository: - description: Repository is an optional alternate - OCI repository to use for signatures and - attestations that match this rule. If specified - Repository will override other OCI image - repository locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -4334,13 +3958,11 @@ spec: description: Deprecated. Use ImageReferences instead. type: string imageReferences: - description: 'ImageReferences is a list of matching image - reference patterns. At least one pattern in the list - must match the image for the rule to apply. Each image - reference consists of a registry address (defaults to - docker.io), repository, image, and tag (defaults to - latest). Wildcards (''*'' and ''?'') are allowed. See: - https://kubernetes.io/docs/concepts/containers/images.' + description: |- + ImageReferences is a list of matching image reference patterns. At least one pattern in the + list must match the image for the rule to apply. Each image reference consists of a registry + address (defaults to docker.io), repository, image, and tag (defaults to latest). + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -4353,9 +3975,9 @@ spec: access to a registry. type: boolean providers: - description: 'Providers specifies a list of OCI Registry - names, whose authentication providers are provided. - It can be of one of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers required. @@ -4368,9 +3990,9 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets that - are provided for credentials. Secrets must live - in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array @@ -4383,16 +4005,15 @@ spec: type: string mutateDigest: default: true - description: MutateDigest enables replacement of image - tags with digests. Defaults to true. + description: |- + MutateDigest enables replacement of image tags with digests. + Defaults to true. type: boolean repository: - description: Repository is an optional alternate OCI repository - to use for image signatures and attestations that match - this rule. If specified Repository will override the - default OCI image repository configured for the installation. - The repository can also be overridden per Attestor or - Attestation. + description: |- + Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule. + If specified Repository will override the default OCI image repository configured for the installation. + The repository can also be overridden per Attestor or Attestation. type: string required: default: true @@ -4407,9 +4028,9 @@ spec: description: Deprecated. Use KeylessAttestor instead. type: string type: - description: Type specifies the method of signature validation. - The allowed options are Cosign and Notary. By default - Cosign is used if a type is not specified. + description: |- + Type specifies the method of signature validation. The allowed options + are Cosign and Notary. By default Cosign is used if a type is not specified. enum: - Cosign - Notary @@ -4431,23 +4052,23 @@ spec: type: object type: array schemaValidation: - description: SchemaValidation skips validation checks for policies - as well as patched resources. Optional. The default value is set - to "true", it must be set to "false" to disable the validation checks. + description: |- + SchemaValidation skips validation checks for policies as well as patched resources. + Optional. The default value is set to "true", it must be set to "false" to disable the validation checks. type: boolean useServerSideApply: - description: UseServerSideApply controls whether to use server-side - apply for generate rules If is set to "true" create & update for - generate rules will use apply instead of create/update. Defaults - to "false" if not specified. + description: |- + UseServerSideApply controls whether to use server-side apply for generate rules + If is set to "true" create & update for generate rules will use apply instead of create/update. + Defaults to "false" if not specified. type: boolean validationFailureAction: default: Audit - description: ValidationFailureAction defines if a validation policy - rule violation should block the admission review request (enforce), - or allow (audit) the admission review request and report an error - in a policy report. Optional. Allowed values are audit or enforce. - The default value is "Audit". + description: |- + ValidationFailureAction defines if a validation policy rule violation should block + the admission review request (enforce), or allow (audit) the admission review request + and report an error in a policy report. Optional. + Allowed values are audit or enforce. The default value is "Audit". enum: - audit - enforce @@ -4455,9 +4076,9 @@ spec: - Enforce type: string validationFailureActionOverrides: - description: ValidationFailureActionOverrides is a Cluster Policy - attribute that specifies ValidationFailureAction namespace-wise. - It overrides ValidationFailureAction for the specified namespaces. + description: |- + ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction + namespace-wise. It overrides ValidationFailureAction for the specified namespaces. items: properties: action: @@ -4470,34 +4091,34 @@ spec: - Enforce type: string namespaceSelector: - description: A label selector is a label query over a set of - resources. The result of matchLabels and matchExpressions - are ANDed. An empty label selector matches all objects. A - null label selector matches no objects. + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. - If the operator is In or NotIn, the values array - must be non-empty. If the operator is Exists or - DoesNotExist, the values array must be empty. This - array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -4509,11 +4130,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -4524,11 +4144,10 @@ spec: type: object type: array webhookTimeoutSeconds: - description: WebhookTimeoutSeconds specifies the maximum time in seconds - allowed to apply this policy. After the configured time expires, - the admission request may fail, or may simply ignore the policy - results, based on the failure policy. The default timeout is 10s, - the value must be between 1 and 30 seconds. + description: |- + WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. + After the configured time expires, the admission request may fail, or may simply ignore the policy results, + based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds. format: int32 type: integer type: object @@ -4542,51 +4161,49 @@ spec: description: Rules is a list of Rule instances. It contains auto generated rules added for pod controllers items: - description: Rule defines a validation, mutation, or generation - control for matching resources. Each rules contains a match - declaration to select resources, and an optional exclude declaration - to specify which resources to exclude. + description: |- + Rule defines a validation, mutation, or generation control for matching resources. + Each rules contains a match declaration to select resources, and an optional exclude + declaration to specify which resources to exclude. properties: celPreconditions: - description: CELPreconditions are used to determine if a - policy rule should be applied by evaluating a set of CEL - conditions. It can only be used with the validate.cel - subrule + description: |- + CELPreconditions are used to determine if a policy rule should be applied by evaluating a + set of CEL conditions. It can only be used with the validate.cel subrule items: description: MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook. properties: expression: - description: "Expression represents the expression - which will be evaluated by CEL. Must evaluate to - bool. CEL expressions have access to the contents - of the AdmissionRequest and Authorizer, organized - into CEL variables: \n 'object' - The object from - the incoming request. The value is null for DELETE - requests. 'oldObject' - The existing object. The - value is null for CREATE requests. 'request' - Attributes - of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). - 'authorizer' - A CEL Authorizer. May be used to - perform authorization checks for the principal (user - or service account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - 'authorizer.requestResource' - A CEL ResourceCheck - constructed from the 'authorizer' and configured - with the request resource. Documentation on CEL: - https://kubernetes.io/docs/reference/using-api/cel/ - \n Required." + description: |- + Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. + CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: + + + 'object' - The object from the incoming request. The value is null for DELETE requests. + 'oldObject' - The existing object. The value is null for CREATE requests. + 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. + See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the + request resource. + Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ + + + Required. type: string name: - description: "Name is an identifier for this match - condition, used for strategic merging of MatchConditions, - as well as providing an identifier for logging purposes. - A good name should be descriptive of the associated - expression. Name must be a qualified name consisting - of alphanumeric characters, '-', '_' or '.', and - must start and end with an alphanumeric character - (e.g. 'MyName', or 'my.name', or '123-abc', regex - used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') - with an optional DNS subdomain prefix and '/' (e.g. - 'example.com/MyName') \n Required." + description: |- + Name is an identifier for this match condition, used for strategic merging of MatchConditions, + as well as providing an identifier for logging purposes. A good name should be descriptive of + the associated expression. + Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and + must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or + '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an + optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') + + + Required. type: string required: - expression @@ -4597,15 +4214,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data sources - to a rule Context. Either a ConfigMap reference or a - APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the Kubernetes - API server, or other JSON web service. The data - returned is stored in the context with the name - for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data sent @@ -4627,13 +4243,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON Match - Expression that can be used to transform the - JSON response returned from the server. For - example a JMESPath of "items | length(@)" applied - to the API server response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across - all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -4648,23 +4263,24 @@ spec: web service properties: caBundle: - description: CABundle is a PEM encoded CA - bundle which will be used to validate the - server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web service URL. - A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to be used - in the HTTP GET or POST request to the Kubernetes - API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used - by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -4681,8 +4297,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests to an - OCI/Docker V2 registry to fetch image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials provides @@ -4694,10 +4311,9 @@ spec: insecure access to a registry. type: boolean providers: - description: 'Providers specifies a list of - OCI Registry names, whose authentication - providers are provided. It can be of one - of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers @@ -4711,23 +4327,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets - that are provided for credentials. Secrets - must live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON Match - Expression that can be used to transform the - ImageData struct returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference to - a container image in the registry. Example: - ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -4740,14 +4356,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take if the - JMESPath expression evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform the - variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON object @@ -4757,11 +4373,10 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when this policy rule - should not be applied. The exclude criteria can include - resource information (e.g. kind, name, namespace, labels) - and admission review request information like the name - or role. + description: |- + ExcludeResources defines when this policy rule should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. properties: all: description: All allows specifying resources which will @@ -4783,10 +4398,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -4795,60 +4409,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -4861,20 +4464,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -4895,44 +4495,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -4945,12 +4536,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -4965,36 +4554,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -5024,10 +4605,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -5036,60 +4616,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -5102,20 +4671,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -5136,44 +4702,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -5186,12 +4743,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -5206,36 +4761,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -5252,21 +4799,19 @@ spec: type: string type: array resources: - description: ResourceDescription contains information - about the resource being created or modified. Requires - at least one tag to be specified when under MatchResources. - Specifying ResourceDescription directly under match - is being deprecated. Please specify under "any" or - "all" instead. + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" - (matches zero or many characters) and "?" (matches - at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -5274,57 +4819,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated in - favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key and - value but does not match an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -5337,20 +4874,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -5370,42 +4904,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) - and `?` (matches one character). Wildcards allows - writing label selectors like ["storage.k8s.io/*": - "*"]. Note that using ["*" : "*"] matches any - key and value but does not match an empty label - set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -5418,12 +4945,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -5438,32 +4963,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or - a value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the - referenced subject. Defaults to "" for ServiceAccount - subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the - Authorizer should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -5479,11 +5000,10 @@ spec: description: APIVersion specifies resource apiVersion. type: string clone: - description: Clone specifies the source resource used - to populate each generated resource. At most one of - Data or Clone can be specified. If neither are provided, - the generated resource will be created with default - data only. + description: |- + Clone specifies the source resource used to populate each generated resource. + At most one of Data or Clone can be specified. If neither are provided, the generated + resource will be created with default data only. properties: name: description: Name specifies name of the resource. @@ -5507,37 +5027,33 @@ spec: namespace. type: string selector: - description: Selector is a label selector. Label - keys and values in `matchLabels`. wildcard characters - are not supported. + description: |- + Selector is a label selector. Label keys and values in `matchLabels`. + wildcard characters are not supported. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -5550,22 +5066,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object data: - description: Data provides the resource declaration - used to populate each generated resource. At most - one of Data or Clone must be specified. If neither - are provided, the generated resource will be created - with default data only. + description: |- + Data provides the resource declaration used to populate each generated resource. + At most one of Data or Clone must be specified. If neither are provided, the generated + resource will be created with default data only. x-kubernetes-preserve-unknown-fields: true kind: description: Kind specifies resource kind. @@ -5577,11 +5090,10 @@ spec: description: Namespace specifies resource namespace. type: string synchronize: - description: Synchronize controls if generated resources - should be kept in-sync with their source resource. - If Synchronize is set to "true" changes to generated - resources will be overwritten with resource data from - Data or the resource specified in the Clone declaration. + description: |- + Synchronize controls if generated resources should be kept in-sync with their source resource. + If Synchronize is set to "true" changes to generated resources will be overwritten with resource + data from Data or the resource specified in the Clone declaration. Optional. Defaults to "false" if not specified. type: boolean uid: @@ -5593,50 +5105,46 @@ spec: items: properties: jmesPath: - description: 'JMESPath is an optional JMESPath expression - to apply to the image value. This is useful when - the extracted image begins with a prefix like - ''docker://''. The ''trim_prefix'' function may - be used to trim the prefix: trim_prefix(@, ''docker://''). - Note - Image digest mutation may not be used when - applying a JMESPAth to an image.' + description: |- + JMESPath is an optional JMESPath expression to apply to the image value. + This is useful when the extracted image begins with a prefix like 'docker://'. + The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://'). + Note - Image digest mutation may not be used when applying a JMESPAth to an image. type: string key: - description: Key is an optional name of the field - within 'path' that will be used to uniquely identify - an image. Note - this field MUST be unique. + description: |- + Key is an optional name of the field within 'path' that will be used to uniquely identify an image. + Note - this field MUST be unique. type: string name: - description: Name is the entry the image will be - available under 'images.' in the context. - If this field is not defined, image entries will - appear under 'images.custom'. + description: |- + Name is the entry the image will be available under 'images.' in the context. + If this field is not defined, image entries will appear under 'images.custom'. type: string path: - description: Path is the path to the object containing - the image field in a custom resource. It should - be slash-separated. Each slash-separated key must - be a valid YAML key or a wildcard '*'. Wildcard - keys are expanded in case of arrays or objects. + description: |- + Path is the path to the object containing the image field in a custom resource. + It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'. + Wildcard keys are expanded in case of arrays or objects. type: string value: - description: Value is an optional name of the field - within 'path' that points to the image URI. This - is useful when a custom 'key' is also defined. + description: |- + Value is an optional name of the field within 'path' that points to the image URI. + This is useful when a custom 'key' is also defined. type: string required: - path type: object type: array - description: ImageExtractors defines a mapping from kinds - to ImageExtractorConfigs. This config is only valid for - verifyImages rules. + description: |- + ImageExtractors defines a mapping from kinds to ImageExtractorConfigs. + This config is only valid for verifyImages rules. type: object match: - description: MatchResources defines when this policy rule - should be applied. The match criteria can include resource - information (e.g. kind, name, namespace, labels) and admission - review request information like the user name or role. + description: |- + MatchResources defines when this policy rule should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. At least one kind is required. properties: all: @@ -5659,10 +5167,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -5671,60 +5178,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -5737,20 +5233,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -5771,44 +5264,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -5821,12 +5305,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -5841,36 +5323,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -5900,10 +5374,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -5912,60 +5385,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -5978,20 +5440,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -6012,44 +5471,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -6062,12 +5512,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -6082,36 +5530,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -6128,21 +5568,19 @@ spec: type: string type: array resources: - description: ResourceDescription contains information - about the resource being created or modified. Requires - at least one tag to be specified when under MatchResources. - Specifying ResourceDescription directly under match - is being deprecated. Please specify under "any" or - "all" instead. + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" - (matches zero or many characters) and "?" (matches - at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -6150,57 +5588,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated in - favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key and - value but does not match an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -6213,20 +5643,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -6246,42 +5673,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) - and `?` (matches one character). Wildcards allows - writing label selectors like ["storage.k8s.io/*": - "*"]. Note that using ["*" : "*"] matches any - key and value but does not match an empty label - set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -6294,12 +5714,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -6314,32 +5732,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or - a value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the - referenced subject. Defaults to "" for ServiceAccount - subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the - Authorizer should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -6366,16 +5780,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST @@ -6398,15 +5810,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -6421,25 +5830,23 @@ spec: to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web - service URL. A typical form is + description: |- + URL is the JSON web service URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string @@ -6459,9 +5866,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials @@ -6473,11 +5880,9 @@ spec: allows insecure access to a registry. type: boolean providers: - description: 'Providers specifies - a list of OCI Registry names, - whose authentication providers - are provided. It can be of one - of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -6491,25 +5896,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a - list of secrets that are provided - for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -6523,15 +5926,14 @@ spec: defined inline. properties: default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary @@ -6546,43 +5948,41 @@ spec: iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which - the validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string order: - description: Order defines the iteration order - on the list. Can be Ascending to iterate from - first to last element or Descending to iterate - in from last to first element. + description: |- + Order defines the iteration order on the list. + Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element. enum: - Ascending - Descending type: string patchStrategicMerge: - description: PatchStrategicMerge is a strategic - merge patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC - 6902 JSON Patch declarations used to modify - resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -6597,14 +5997,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -6624,20 +6021,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -6652,14 +6047,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -6679,10 +6071,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -6691,14 +6082,15 @@ spec: type: object type: array patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge - patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON - Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string targets: description: Targets defines the target resources to @@ -6714,16 +6106,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST @@ -6746,15 +6136,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -6769,25 +6156,23 @@ spec: to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web - service URL. A typical form is + description: |- + URL is the JSON web service URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string @@ -6807,9 +6192,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials @@ -6821,11 +6206,9 @@ spec: allows insecure access to a registry. type: boolean providers: - description: 'Providers specifies - a list of OCI Registry names, - whose authentication providers - are provided. It can be of one - of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -6839,25 +6222,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a - list of secrets that are provided - for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -6871,15 +6252,14 @@ spec: defined inline. properties: default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary @@ -6899,14 +6279,12 @@ spec: description: Namespace specifies resource namespace. type: string preconditions: - description: 'Preconditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. A direct list - of conditions (without `any` or `all` statements - is supported for backwards compatibility but + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/preconditions/' + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true uid: description: UID specifies the resource uid. @@ -6920,27 +6298,32 @@ spec: maxLength: 63 type: string preconditions: - description: 'Preconditions are used to determine if a policy - rule should be applied by evaluating a set of conditions. - The declaration can contain nested `any` or `all` statements. - A direct list of conditions (without `any` or `all` statements - is supported for backwards compatibility but will be deprecated - in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true skipBackgroundRequests: default: true - description: SkipBackgroundRequests bypasses admission requests - that are sent by the background controller. The default - value is set to "true", it must be set to "false" to apply + description: |- + SkipBackgroundRequests bypasses admission requests that are sent by the background controller. + The default value is set to "true", it must be set to "false" to apply generate and mutateExisting rules to those requests. type: boolean validate: description: Validation is used to validate matching resources. properties: + allowExistingViolations: + default: true + description: AllowExistingViolations allows prexisting + violating resources to continue violating a policy. + type: boolean anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must be satisfied - for the validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true cel: description: CEL allows validation checks using the @@ -6955,41 +6338,45 @@ spec: produce an audit annotation for an API request. properties: key: - description: "key specifies the audit annotation - key. The audit annotation keys of a ValidatingAdmissionPolicy - must be unique. The key must be a qualified - name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more - than 63 bytes in length. \n The key is combined - with the resource name of the ValidatingAdmissionPolicy - to construct an audit annotation key: \"{ValidatingAdmissionPolicy - name}/{key}\". \n If an admission webhook - uses the same resource name as this ValidatingAdmissionPolicy - and the same audit annotation key, the annotation - key will be identical. In this case, the - first annotation written with the key will - be included in the audit event and all subsequent - annotations with the same key will be discarded. - \n Required." + description: |- + key specifies the audit annotation key. The audit annotation keys of + a ValidatingAdmissionPolicy must be unique. The key must be a qualified + name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length. + + + The key is combined with the resource name of the + ValidatingAdmissionPolicy to construct an audit annotation key: + "{ValidatingAdmissionPolicy name}/{key}". + + + If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy + and the same audit annotation key, the annotation key will be identical. + In this case, the first annotation written with the key will be included + in the audit event and all subsequent annotations with the same key + will be discarded. + + + Required. type: string valueExpression: - description: "valueExpression represents the - expression which is evaluated by CEL to - produce an audit annotation value. The expression - must evaluate to either a string or null - value. If the expression evaluates to a - string, the audit annotation is included - with the string value. If the expression - evaluates to null or empty string the audit - annotation will be omitted. The valueExpression - may be no longer than 5kb in length. If - the result of the valueExpression is more - than 10kb in length, it will be truncated - to 10kb. \n If multiple ValidatingAdmissionPolicyBinding - resources match an API request, then the - valueExpression will be evaluated for each - binding. All unique values produced by the - valueExpressions will be joined together - in a comma-separated list. \n Required." + description: |- + valueExpression represents the expression which is evaluated by CEL to + produce an audit annotation value. The expression must evaluate to either + a string or null value. If the expression evaluates to a string, the + audit annotation is included with the string value. If the expression + evaluates to null or empty string the audit annotation will be omitted. + The valueExpression may be no longer than 5kb in length. + If the result of the valueExpression is more than 10kb in length, it + will be truncated to 10kb. + + + If multiple ValidatingAdmissionPolicyBinding resources match an + API request, then the valueExpression will be evaluated for + each binding. All unique values produced by the valueExpressions + will be joined together in a comma-separated list. + + + Required. type: string required: - key @@ -7005,124 +6392,104 @@ spec: properties: expression: description: "Expression represents the expression - which will be evaluated by CEL. ref: https://github.com/google/cel-spec - CEL expressions have access to the contents + which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL + expressions have access to the contents of the API request/response, organized into CEL variables as well as some other useful - variables: \n - 'object' - The object from - the incoming request. The value is null - for DELETE requests. - 'oldObject' - The - existing object. The value is null for CREATE - requests. - 'request' - Attributes of the - API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - - 'params' - Parameter resource referred - to by the policy binding being evaluated. - Only populated if the policy has a ParamKind. - - 'namespaceObject' - The namespace object + variables:\n\n\n- 'object' - The object + from the incoming request. The value is + null for DELETE requests.\n- 'oldObject' + - The existing object. The value is null + for CREATE requests.\n- 'request' - Attributes + of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- + 'params' - Parameter resource referred to + by the policy binding being evaluated. Only + populated if the policy has a ParamKind.\n- + 'namespaceObject' - The namespace object that the incoming object belongs to. The - value is null for cluster-scoped resources. - - 'variables' - Map of composited variables, - from its name to its lazily evaluated value. - For example, a variable named 'foo' can - be accessed as 'variables.foo'. - 'authorizer' + value is null for cluster-scoped resources.\n- + 'variables' - Map of composited variables, + from its name to its lazily evaluated value.\n + \ For example, a variable named 'foo' can + be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user - or service account) of the request. See - https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - - 'authorizer.requestResource' - A CEL ResourceCheck + or service account) of the request.\n See + https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured - with the request resource. \n The `apiVersion`, + with the\n request resource.\n\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` - are always accessible from the root of the - object. No other metadata properties are - accessible. \n Only property names of the - form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are - accessible. Accessible property names are - escaped according to the following rules - when accessed in the expression: - '__' - escapes to '__underscores__' - '.' escapes - to '__dot__' - '-' escapes to '__dash__' - - '/' escapes to '__slash__' - Property - names that exactly match a CEL RESERVED - keyword escape to '__{keyword}__'. The keywords - are: \"true\", \"false\", \"null\", \"in\", - \"as\", \"break\", \"const\", \"continue\", - \"else\", \"for\", \"function\", \"if\", - \"import\", \"let\", \"loop\", \"package\", - \"namespace\", \"return\". Examples: - Expression - accessing a property named \"namespace\": - {\"Expression\": \"object.__namespace__ - > 0\"} - Expression accessing a property + are always accessible from the root of the\nobject. + No other metadata properties are accessible.\n\n\nOnly + property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` + are accessible.\nAccessible property names + are escaped according to the following rules + when accessed in the expression:\n- '__' + escapes to '__underscores__'\n- '.' escapes + to '__dot__'\n- '-' escapes to '__dash__'\n- + '/' escapes to '__slash__'\n- Property names + that exactly match a CEL RESERVED keyword + escape to '__{keyword}__'. The keywords + are:\n\t \"true\", \"false\", \"null\", + \"in\", \"as\", \"break\", \"const\", \"continue\", + \"else\", \"for\", \"function\", \"if\",\n\t + \ \"import\", \"let\", \"loop\", \"package\", + \"namespace\", \"return\".\nExamples:\n + \ - Expression accessing a property named + \"namespace\": {\"Expression\": \"object.__namespace__ + > 0\"}\n - Expression accessing a property named \"x-prop\": {\"Expression\": \"object.x__dash__prop - > 0\"} - Expression accessing a property + > 0\"}\n - Expression accessing a property named \"redact__d\": {\"Expression\": \"object.redact__underscores__d - > 0\"} \n Equality on arrays with list type - of 'set' or 'map' ignores element order, - i.e. [1, 2] == [2, 1]. Concatenation on + > 0\"}\n\n\nEquality on arrays with list + type of 'set' or 'map' ignores element order, + i.e. [1, 2] == [2, 1].\nConcatenation on arrays with x-kubernetes-list-type use the - semantics of the list type: - 'set': `X - + Y` performs a union where the array positions - of all elements in `X` are preserved and - non-intersecting elements in `Y` are appended, - retaining their partial order. - 'map': - `X + Y` performs a merge where the array - positions of all keys in `X` are preserved - but the values are overwritten by values - in `Y` when the key sets of `X` and `Y` - intersect. Elements in `Y` with non-intersecting - keys are appended, retaining their partial - order. Required." + semantics of the list type:\n - 'set': + `X + Y` performs a union where the array + positions of all elements in `X` are preserved + and\n non-intersecting elements in `Y` + are appended, retaining their partial order.\n + \ - 'map': `X + Y` performs a merge where + the array positions of all keys in `X` are + preserved but the values\n are overwritten + by values in `Y` when the key sets of `X` + and `Y` intersect. Elements in `Y` with\n + \ non-intersecting keys are appended, + retaining their partial order.\nRequired." type: string message: - description: 'Message represents the message - displayed when validation fails. The message - is required if the Expression contains line - breaks. The message must not contain line - breaks. If unset, the message is "failed - rule: {Rule}". e.g. "must be a URL with - the host matching spec.host" If the Expression - contains line breaks. Message is required. + description: |- + Message represents the message displayed when validation fails. The message is required if the Expression contains + line breaks. The message must not contain line breaks. + If unset, the message is "failed rule: {Rule}". + e.g. "must be a URL with the host matching spec.host" + If the Expression contains line breaks. Message is required. The message must not contain line breaks. - If unset, the message is "failed Expression: - {Expression}".' + If unset, the message is "failed Expression: {Expression}". type: string messageExpression: - description: 'messageExpression declares a - CEL expression that evaluates to the validation - failure message that is returned when this - rule fails. Since messageExpression is used - as a failure message, it must evaluate to - a string. If both message and messageExpression - are present on a validation, then messageExpression - will be used if validation fails. If messageExpression - results in a runtime error, the runtime - error is logged, and the validation failure - message is produced as if the messageExpression - field were unset. If messageExpression evaluates - to an empty string, a string with only spaces, - or a string that contains line breaks, then - the validation failure message will also - be produced as if the messageExpression - field were unset, and the fact that messageExpression - produced an empty string/string with only - spaces/string with line breaks will be logged. - messageExpression has access to all the - same variables as the `expression` except - for ''authorizer'' and ''authorizer.requestResource''. - Example: "object.x must be less than max - ("+string(params.max)+")"' + description: |- + messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. + Since messageExpression is used as a failure message, it must evaluate to a string. + If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. + If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced + as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string + that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and + the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. + messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'. + Example: + "object.x must be less than max ("+string(params.max)+")" type: string reason: - description: 'Reason represents a machine-readable - description of why this validation failed. - If this is the first validation in the list - to fail, this reason, as well as the corresponding - HTTP response code, are used in the HTTP - response to the client. The currently supported - reasons are: "Unauthorized", "Forbidden", - "Invalid", "RequestEntityTooLarge". If not - set, StatusReasonInvalid is used in the - response to the client.' + description: |- + Reason represents a machine-readable description of why this validation failed. + If this is the first validation in the list to fail, this reason, as well as the + corresponding HTTP response code, are used in the + HTTP response to the client. + The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge". + If not set, StatusReasonInvalid is used in the response to the client. type: string required: - expression @@ -7133,13 +6500,15 @@ spec: and Version. properties: apiVersion: - description: APIVersion is the API group version - the resources belong to. In format of "group/version". + description: |- + APIVersion is the API group version the resources belong to. + In format of "group/version". Required. type: string kind: - description: Kind is the API kind the resources - belong to. Required. + description: |- + Kind is the API kind the resources belong to. + Required. type: string type: object x-kubernetes-map-type: atomic @@ -7147,82 +6516,83 @@ spec: description: ParamRef references a parameter resource. properties: name: - description: "`name` is the name of the resource - being referenced. \n `name` and `selector` - are mutually exclusive properties. If one - is set, the other must be unset." + description: |- + `name` is the name of the resource being referenced. + + + `name` and `selector` are mutually exclusive properties. If one is set, + the other must be unset. type: string namespace: - description: "namespace is the namespace of - the referenced resource. Allows limiting the - search for params to a specific namespace. - Applies to both `name` and `selector` fields. - \n A per-namespace parameter may be used by - specifying a namespace-scoped `paramKind` - in the policy and leaving this field empty. - \n - If `paramKind` is cluster-scoped, this - field MUST be unset. Setting this field results - in a configuration error. \n - If `paramKind` - is namespace-scoped, the namespace of the - object being evaluated for admission will - be used when this field is left unset. Take - care that if this is left empty the binding - must not match any cluster-scoped resources, - which will result in an error." + description: |- + namespace is the namespace of the referenced resource. Allows limiting + the search for params to a specific namespace. Applies to both `name` and + `selector` fields. + + + A per-namespace parameter may be used by specifying a namespace-scoped + `paramKind` in the policy and leaving this field empty. + + + - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this + field results in a configuration error. + + + - If `paramKind` is namespace-scoped, the namespace of the object being + evaluated for admission will be used when this field is left unset. Take + care that if this is left empty the binding must not match any cluster-scoped + resources, which will result in an error. type: string parameterNotFoundAction: - description: "`parameterNotFoundAction` controls - the behavior of the binding when the resource - exists, and name or selector is valid, but - there are no parameters matched by the binding. - If the value is set to `Allow`, then no matched - parameters will be treated as successful validation - by the binding. If set to `Deny`, then no - matched parameters will be subject to the - `failurePolicy` of the policy. \n Allowed - values are `Allow` or `Deny` Default to `Deny`" + description: |- + `parameterNotFoundAction` controls the behavior of the binding when the resource + exists, and name or selector is valid, but there are no parameters + matched by the binding. If the value is set to `Allow`, then no + matched parameters will be treated as successful validation by the binding. + If set to `Deny`, then no matched parameters will be subject to the + `failurePolicy` of the policy. + + + Allowed values are `Allow` or `Deny` + Default to `Deny` type: string selector: - description: "selector can be used to match - multiple param objects based on their labels. - Supply selector: {} to match all resources - of the ParamKind. \n If multiple params are - found, they are all evaluated with the policy - expressions and the results are ANDed together. - \n One of `name` or `selector` must be set, - but `name` and `selector` are mutually exclusive - properties. If one is set, the other must - be unset." + description: |- + selector can be used to match multiple param objects based on their labels. + Supply selector: {} to match all resources of the ParamKind. + + + If multiple params are found, they are all evaluated with the policy expressions + and the results are ANDed together. + + + One of `name` or `selector` must be set, but `name` and `selector` are + mutually exclusive properties. If one is set, the other must be unset. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -7234,41 +6604,34 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object x-kubernetes-map-type: atomic variables: - description: Variables contain definitions of variables - that can be used in composition of other expressions. + description: |- + Variables contain definitions of variables that can be used in composition of other expressions. Each variable is defined as a named CEL expression. - The variables defined here will be available under - `variables` in other expressions of the policy. + The variables defined here will be available under `variables` in other expressions of the policy. items: description: Variable is the definition of a variable that is used for composition. properties: expression: - description: Expression is the expression - that will be evaluated as the value of the - variable. The CEL expression has access - to the same identifiers as the CEL expressions - in Validation. + description: |- + Expression is the expression that will be evaluated as the value of the variable. + The CEL expression has access to the same identifiers as the CEL expressions in Validation. type: string name: - description: Name is the name of the variable. - The name must be a valid CEL identifier - and unique among all variables. The variable - can be accessed in other expressions through - `variables` For example, if name is "foo", - the variable will be available as `variables.foo` + description: |- + Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables. + The variable can be accessed in other expressions through `variables` + For example, if name is "foo", the variable will be available as `variables.foo` type: string required: - expression @@ -7281,12 +6644,11 @@ spec: fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct list - of conditions (without `any` or `all` statements) - is also supported for backwards compatibility + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object foreach: @@ -7301,24 +6663,22 @@ spec: apply the specified logic. properties: anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must - be satisfied for the validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true context: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST @@ -7341,15 +6701,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -7364,25 +6721,23 @@ spec: to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web - service URL. A typical form is + description: |- + URL is the JSON web service URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string @@ -7402,9 +6757,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials @@ -7416,11 +6771,9 @@ spec: allows insecure access to a registry. type: boolean providers: - description: 'Providers specifies - a list of OCI Registry names, - whose authentication providers - are provided. It can be of one - of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -7434,25 +6787,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a - list of secrets that are provided - for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -7466,15 +6817,14 @@ spec: defined inline. properties: default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary @@ -7489,48 +6839,44 @@ spec: or fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct - list of conditions (without `any` or `all` - statements) is also supported for backwards - compatibility but will be deprecated in - the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object elementScope: - description: ElementScope specifies whether to - use the current list element as the scope for - validation. Defaults to "true" if not specified. - When set to "false", "request.object" is used - as the validation scope within the foreach block - to allow referencing other elements in the subtree. + description: |- + ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified. + When set to "false", "request.object" is used as the validation scope within the foreach + block to allow referencing other elements in the subtree. type: boolean foreach: description: Foreach declares a nested foreach iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which - the validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string pattern: description: Pattern specifies an overlay-style pattern used to check resources. x-kubernetes-preserve-unknown-fields: true preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -7545,14 +6891,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -7572,20 +6915,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -7600,14 +6941,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -7627,10 +6965,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -7653,31 +6990,25 @@ spec: items: properties: count: - description: Count specifies the required - number of entries that must match. If the - count is null, all entries must match (a - logical AND). If the count is 1, at least - one entry must match (a logical OR). If - the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or - a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set @@ -7698,21 +7029,14 @@ spec: used to verify. type: string ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -7720,36 +7044,25 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -7760,9 +7073,9 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless - attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: additionalProperties: @@ -7772,21 +7085,14 @@ spec: for keyless signing. type: object ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -7794,15 +7100,10 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -7810,24 +7111,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -7837,10 +7132,9 @@ spec: type: string type: object roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, - the system roots are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -7853,21 +7147,14 @@ spec: public keys. properties: ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -7875,63 +7162,41 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI - to the public key stored in a - Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable - reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -7967,12 +7232,9 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository - will override other OCI image repository - locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -8013,10 +7275,9 @@ spec: type: object type: array repository: - description: Repository is an optional alternate - OCI repository to use for resource bundle reference. - The repository can be overridden per Attestor - or Attestation. + description: |- + Repository is an optional alternate OCI repository to use for resource bundle reference. + The repository can be overridden per Attestor or Attestation. type: string type: object message: @@ -8028,9 +7289,9 @@ spec: used to check resources. x-kubernetes-preserve-unknown-fields: true podSecurity: - description: PodSecurity applies exemptions for Kubernetes - Pod Security admission by specifying exclusions for - Pod Security Standards controls. + description: |- + PodSecurity applies exemptions for Kubernetes Pod Security admission + by specifying exclusions for Pod Security Standards controls. properties: exclude: description: Exclude specifies the Pod Security @@ -8040,9 +7301,9 @@ spec: Pod Security Standard controls to be excluded. properties: controlName: - description: 'ControlName specifies the name - of the Pod Security Standard control. See: - https://kubernetes.io/docs/concepts/security/pod-security-standards/' + description: |- + ControlName specifies the name of the Pod Security Standard control. + See: https://kubernetes.io/docs/concepts/security/pod-security-standards/ enum: - HostProcess - Host Namespaces @@ -8061,14 +7322,11 @@ spec: - Running as Non-root user type: string images: - description: 'Images selects matching containers - and applies the container level PSS. Each - image is the image name consisting of the - registry address, repository, image, and - tag. Empty list matches no containers, PSS - checks are applied at the pod level only. - Wildcards (''*'' and ''?'') are allowed. - See: https://kubernetes.io/docs/concepts/containers/images.' + description: |- + Images selects matching containers and applies the container level PSS. + Each image is the image name consisting of the registry address, repository, image, and tag. + Empty list matches no containers, PSS checks are applied at the pod level only. + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -8077,19 +7335,18 @@ spec: type: object type: array level: - description: Level defines the Pod Security Standard - level to be applied to workloads. Allowed values - are privileged, baseline, and restricted. + description: |- + Level defines the Pod Security Standard level to be applied to workloads. + Allowed values are privileged, baseline, and restricted. enum: - privileged - baseline - restricted type: string version: - description: Version defines the Pod Security Standard - versions that Kubernetes supports. Allowed values - are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, - v1.25, v1.26, latest. Defaults to latest. + description: |- + Version defines the Pod Security Standard versions that Kubernetes supports. + Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, latest. Defaults to latest. enum: - v1.19 - v1.20 @@ -8107,10 +7364,10 @@ spec: description: VerifyImages is used to verify image signatures and mutate them to add a digest items: - description: ImageVerification validates that images that - match the specified pattern are signed with the supplied - public key. Once the image is verified it is mutated - to include the SHA digest retrieved during the registration. + description: |- + ImageVerification validates that images that match the specified pattern + are signed with the supplied public key. Once the image is verified it is + mutated to include the SHA digest retrieved during the registration. properties: additionalExtensions: additionalProperties: @@ -8124,17 +7381,15 @@ spec: instead. type: object attestations: - description: Attestations are optional checks for - signed in-toto Statements used to verify the image. - See https://github.com/in-toto/attestation. Kyverno - fetches signed attestations from the OCI registry - and decodes them into a list of Statement declarations. + description: |- + Attestations are optional checks for signed in-toto Statements used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statement declarations. items: - description: Attestation are checks for signed in-toto - Statements that are used to verify the image. - See https://github.com/in-toto/attestation. Kyverno - fetches signed attestations from the OCI registry - and decodes them into a list of Statements. + description: |- + Attestation are checks for signed in-toto Statements that are used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statements. properties: attestors: description: Attestors specify the required @@ -8142,33 +7397,25 @@ spec: items: properties: count: - description: Count specifies the required - number of entries that must match. If - the count is null, all entries must - match (a logical AND). If the count - is 1, at least one entry must match - (a logical OR). If the count contains - a value N, then N must be less than - or equal to the size of entries, and - at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static - key, attributes for keyless verification, - or a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used - for image verification. Every - specified key-value pair must - exist and match in the verified - payload. The payload may contain - other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested @@ -8189,23 +7436,14 @@ spec: certificates used to verify. type: string ctlog: - description: CTLog (certificate - timestamp log) provides a - configuration for validation - of Signed Certificate Timestamps - (SCTs). If the value is unset, - the default behavior by Cosign - is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp - (SCT) log to check for - a certificate timestamp. - Default is false. Set - to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if @@ -8214,27 +7452,16 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, - if set, is the PEM-encoded - certificate chain file - for the RFC3161 timestamp - authority. Must contain - the root CA certificate. - Optionally may contain - intermediate CA certificates, - and may contain the leaf - TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If an empty object is provided - the public instance of Rekor - (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog @@ -8242,13 +7469,9 @@ spec: verification. type: boolean pubkey: - description: RekorPubKey - is an optional PEM-encoded - public key to use for - a custom Rekor. If set, - this will be used to validate - transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the @@ -8259,9 +7482,9 @@ spec: type: object type: object keyless: - description: Keyless is a set of - attribute used to verify a Sigstore - keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: additionalProperties: @@ -8271,23 +7494,14 @@ spec: used for keyless signing. type: object ctlog: - description: CTLog (certificate - timestamp log) provides a - configuration for validation - of Signed Certificate Timestamps - (SCTs). If the value is unset, - the default behavior by Cosign - is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp - (SCT) log to check for - a certificate timestamp. - Default is false. Set - to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if @@ -8296,17 +7510,10 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, - if set, is the PEM-encoded - certificate chain file - for the RFC3161 timestamp - authority. Must contain - the root CA certificate. - Optionally may contain - intermediate CA certificates, - and may contain the leaf - TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -8314,13 +7521,9 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If an empty object is provided - the public instance of Rekor - (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog @@ -8328,13 +7531,9 @@ spec: verification. type: boolean pubkey: - description: RekorPubKey - is an optional PEM-encoded - public key to use for - a custom Rekor. If set, - this will be used to validate - transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the @@ -8344,11 +7543,9 @@ spec: type: string type: object roots: - description: Roots is an optional - set of PEM encoded trusted - root certificates. If not - provided, the system roots - are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the @@ -8362,23 +7559,14 @@ spec: or more public keys. properties: ctlog: - description: CTLog (certificate - timestamp log) provides a - configuration for validation - of Signed Certificate Timestamps - (SCTs). If the value is unset, - the default behavior by Cosign - is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp - (SCT) log to check for - a certificate timestamp. - Default is false. Set - to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if @@ -8387,56 +7575,32 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, - if set, is the PEM-encoded - certificate chain file - for the RFC3161 timestamp - authority. Must contain - the root CA certificate. - Optionally may contain - intermediate CA certificates, - and may contain the leaf - TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the - URI to the public key stored - in a Key Management System. - See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of - X.509 public keys used to - verify image signatures. The - keys can be directly specified - or can be a variable reference - to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a - separate staticKey entry (.attestors[*].entries.keys) - within the set of attestors - and the count is applied across - the keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If an empty object is provided - the public instance of Rekor - (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog @@ -8444,13 +7608,9 @@ spec: verification. type: boolean pubkey: - description: RekorPubKey - is an optional PEM-encoded - public key to use for - a custom Rekor. If set, - this will be used to validate - transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the @@ -8487,40 +7647,30 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use - for signatures and attestations - that match this rule. If specified - Repository will override other - OCI image repository locations - for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array type: object type: array conditions: - description: Conditions are used to verify attributes - within a Predicate. If no Conditions are specified - the attestation check is satisfied as long - there are predicates that match the predicate - type. + description: |- + Conditions are used to verify attributes within a Predicate. If no Conditions are specified + the attestation check is satisfied as long there are predicates that match the predicate type. items: - description: AnyAllConditions consists of - conditions wrapped denoting a logical criteria - to be fulfilled. AnyConditions get fulfilled - when at least one of its sub-conditions - passes. AllConditions get fulfilled only - when all of its sub-conditions pass. + description: |- + AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled. + AnyConditions get fulfilled when at least one of its sub-conditions passes. + AllConditions get fulfilled only when all of its sub-conditions pass. properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is - useful for finer control of when an - rule is applied. A condition can reference - object data using JMESPath notation. - Here, all of the conditions need to - pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -8535,14 +7685,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -8562,21 +7709,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is - useful for finer control of when an - rule is applied. A condition can reference - object data using JMESPath notation. - Here, at least one of the conditions - need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -8591,14 +7735,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -8618,10 +7759,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -8643,31 +7783,25 @@ spec: items: properties: count: - description: Count specifies the required number - of entries that must match. If the count is - null, all entries must match (a logical AND). - If the count is 1, at least one entry must - match (a logical OR). If the count contains - a value N, then N must be less than or equal - to the size of entries, and at least N entries - must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or a - nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set @@ -8688,21 +7822,14 @@ spec: used to verify. type: string ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior by - Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed Certificate - Timestamp (SCT) log to check - for a certificate timestamp. - Default is false. Set to true - if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -8710,35 +7837,25 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the - root CA certificate. Optionally - may contain intermediate CA - certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an - optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used to - validate transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -8749,8 +7866,8 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: @@ -8761,21 +7878,14 @@ spec: for keyless signing. type: object ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior by - Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed Certificate - Timestamp (SCT) log to check - for a certificate timestamp. - Default is false. Set to true - if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -8783,15 +7893,10 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the - root CA certificate. Optionally - may contain intermediate CA - certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -8799,23 +7904,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an - optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used to - validate transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -8825,10 +7925,9 @@ spec: type: string type: object roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, the - system roots are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -8841,21 +7940,14 @@ spec: public keys. properties: ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior by - Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed Certificate - Timestamp (SCT) log to check - for a certificate timestamp. - Default is false. Set to true - if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -8863,61 +7955,41 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the - root CA certificate. Optionally - may contain intermediate CA - certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI - to the public key stored in a Key - Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable reference - to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format "k8s:///". - The named Secret must specify a - key `cosign.pub` containing the - public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an - optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used to - validate transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -8952,12 +8024,9 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository will - override other OCI image repository - locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -8967,13 +8036,11 @@ spec: description: Deprecated. Use ImageReferences instead. type: string imageReferences: - description: 'ImageReferences is a list of matching - image reference patterns. At least one pattern in - the list must match the image for the rule to apply. - Each image reference consists of a registry address - (defaults to docker.io), repository, image, and - tag (defaults to latest). Wildcards (''*'' and ''?'') - are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' + description: |- + ImageReferences is a list of matching image reference patterns. At least one pattern in the + list must match the image for the rule to apply. Each image reference consists of a registry + address (defaults to docker.io), repository, image, and tag (defaults to latest). + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -8986,10 +8053,9 @@ spec: access to a registry. type: boolean providers: - description: 'Providers specifies a list of OCI - Registry names, whose authentication providers - are provided. It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers @@ -9003,9 +8069,9 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets - that are provided for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array @@ -9018,16 +8084,15 @@ spec: type: string mutateDigest: default: true - description: MutateDigest enables replacement of image - tags with digests. Defaults to true. + description: |- + MutateDigest enables replacement of image tags with digests. + Defaults to true. type: boolean repository: - description: Repository is an optional alternate OCI - repository to use for image signatures and attestations - that match this rule. If specified Repository will - override the default OCI image repository configured - for the installation. The repository can also be - overridden per Attestor or Attestation. + description: |- + Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule. + If specified Repository will override the default OCI image repository configured for the installation. + The repository can also be overridden per Attestor or Attestation. type: string required: default: true @@ -9042,9 +8107,9 @@ spec: description: Deprecated. Use KeylessAttestor instead. type: string type: - description: Type specifies the method of signature - validation. The allowed options are Cosign and Notary. - By default Cosign is used if a type is not specified. + description: |- + Type specifies the method of signature validation. The allowed options + are Cosign and Notary. By default Cosign is used if a type is not specified. enum: - Cosign - Notary @@ -9069,42 +8134,42 @@ spec: conditions: items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -9118,11 +8183,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -9138,8 +8204,9 @@ spec: description: Deprecated in favor of Conditions type: boolean rulecount: - description: RuleCountStatus contains four variables which describes - counts for validate, generate, mutate and verify images rules + description: |- + RuleCountStatus contains four variables which describes counts for + validate, generate, mutate and verify images rules properties: generate: description: Count for generate rules in policy @@ -9167,10 +8234,9 @@ spec: policy is generated from the policy or not type: boolean message: - description: Message is a human readable message indicating details - about the generation of validating admission policy It is an - empty string when validating admission policy is successfully - generated. + description: |- + Message is a human readable message indicating details about the generation of validating admission policy + It is an empty string when validating admission policy is successfully generated. type: string required: - generated @@ -9232,14 +8298,19 @@ spec: for matching resources. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -9248,94 +8319,98 @@ spec: properties: admission: default: true - description: Admission controls if rules are applied during admission. + description: |- + Admission controls if rules are applied during admission. Optional. Default value is "true". type: boolean applyRules: - description: ApplyRules controls how rules in a policy are applied. - Rule are processed in the order of declaration. When set to `One` - processing stops after a rule has been applied i.e. the rule matches - and results in a pass, fail, or error. When set to `All` all rules - in the policy are processed. The default is `All`. + description: |- + ApplyRules controls how rules in a policy are applied. Rule are processed in + the order of declaration. When set to `One` processing stops after a rule has + been applied i.e. the rule matches and results in a pass, fail, or error. When + set to `All` all rules in the policy are processed. The default is `All`. enum: - All - One type: string background: default: true - description: Background controls if rules are applied to existing - resources during a background scan. Optional. Default value is "true". - The value must be set to "false" if the policy rule uses variables - that are only available in the admission review request (e.g. user - name). + description: |- + Background controls if rules are applied to existing resources during a background scan. + Optional. Default value is "true". The value must be set to "false" if the policy rule + uses variables that are only available in the admission review request (e.g. user name). type: boolean failurePolicy: - description: FailurePolicy defines how unexpected policy errors and - webhook response timeout errors are handled. Rules within the same - policy share the same failure behavior. Allowed values are Ignore - or Fail. Defaults to Fail. + description: |- + FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. + Rules within the same policy share the same failure behavior. + Allowed values are Ignore or Fail. Defaults to Fail. enum: - Ignore - Fail type: string generateExisting: - description: GenerateExisting controls whether to trigger generate - rule in existing resources If is set to "true" generate rule will - be triggered and applied to existing matched resources. Defaults - to "false" if not specified. + description: |- + GenerateExisting controls whether to trigger generate rule in existing resources + If is set to "true" generate rule will be triggered and applied to existing matched resources. + Defaults to "false" if not specified. type: boolean generateExistingOnPolicyUpdate: description: Deprecated, use generateExisting instead type: boolean mutateExistingOnPolicyUpdate: - description: MutateExistingOnPolicyUpdate controls if a mutateExisting - policy is applied on policy events. Default value is "false". + description: |- + MutateExistingOnPolicyUpdate controls if a mutateExisting policy is applied on policy events. + Default value is "false". type: boolean rules: - description: Rules is a list of Rule instances. A Policy contains - multiple rules and each rule can validate, mutate, or generate resources. + description: |- + Rules is a list of Rule instances. A Policy contains multiple rules and + each rule can validate, mutate, or generate resources. items: - description: Rule defines a validation, mutation, or generation - control for matching resources. Each rules contains a match declaration - to select resources, and an optional exclude declaration to specify - which resources to exclude. + description: |- + Rule defines a validation, mutation, or generation control for matching resources. + Each rules contains a match declaration to select resources, and an optional exclude + declaration to specify which resources to exclude. properties: celPreconditions: - description: CELPreconditions are used to determine if a policy - rule should be applied by evaluating a set of CEL conditions. - It can only be used with the validate.cel subrule + description: |- + CELPreconditions are used to determine if a policy rule should be applied by evaluating a + set of CEL conditions. It can only be used with the validate.cel subrule items: description: MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook. properties: expression: - description: "Expression represents the expression which - will be evaluated by CEL. Must evaluate to bool. CEL - expressions have access to the contents of the AdmissionRequest - and Authorizer, organized into CEL variables: \n 'object' - - The object from the incoming request. The value is - null for DELETE requests. 'oldObject' - The existing - object. The value is null for CREATE requests. 'request' - - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). - 'authorizer' - A CEL Authorizer. May be used to perform - authorization checks for the principal (user or service - account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - 'authorizer.requestResource' - A CEL ResourceCheck constructed - from the 'authorizer' and configured with the request - resource. Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ - \n Required." + description: |- + Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. + CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: + + + 'object' - The object from the incoming request. The value is null for DELETE requests. + 'oldObject' - The existing object. The value is null for CREATE requests. + 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. + See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the + request resource. + Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ + + + Required. type: string name: - description: "Name is an identifier for this match condition, - used for strategic merging of MatchConditions, as well - as providing an identifier for logging purposes. A good - name should be descriptive of the associated expression. - Name must be a qualified name consisting of alphanumeric - characters, '-', '_' or '.', and must start and end - with an alphanumeric character (e.g. 'MyName', or 'my.name', - \ or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') - with an optional DNS subdomain prefix and '/' (e.g. - 'example.com/MyName') \n Required." + description: |- + Name is an identifier for this match condition, used for strategic merging of MatchConditions, + as well as providing an identifier for logging purposes. A good name should be descriptive of + the associated expression. + Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and + must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or + '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an + optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') + + + Required. type: string required: - expression @@ -9346,15 +8421,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data sources - to a rule Context. Either a ConfigMap reference or a APILookup - must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the Kubernetes - API server, or other JSON web service. The data returned - is stored in the context with the name for the context - entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data sent to @@ -9376,13 +8450,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the JSON response - returned from the server. For example a JMESPath - of "items | length(@)" applied to the API server - response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across - all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -9397,22 +8470,24 @@ spec: service properties: caBundle: - description: CABundle is a PEM encoded CA bundle - which will be used to validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web service URL. - A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to be used in - the HTTP GET or POST request to the Kubernetes API - server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used by the - `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -9429,8 +8504,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests to an OCI/Docker - V2 registry to fetch image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials provides credentials @@ -9441,10 +8517,9 @@ spec: access to a registry. type: boolean providers: - description: 'Providers specifies a list of OCI - Registry names, whose authentication providers - are provided. It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers @@ -9458,21 +8533,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets - that are provided for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the ImageData struct - returned as a result of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference to a container - image in the registry. Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -9485,13 +8562,14 @@ spec: variable that can be defined inline. properties: default: - description: Default is an optional arbitrary JSON - object that the variable may take if the JMESPath + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath Expression - that can be used to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON object representable @@ -9501,10 +8579,10 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when this policy rule - should not be applied. The exclude criteria can include resource - information (e.g. kind, name, namespace, labels) and admission - review request information like the name or role. + description: |- + ExcludeResources defines when this policy rule should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. properties: all: description: All allows specifying resources which will @@ -9526,11 +8604,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -9538,58 +8615,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -9602,20 +8670,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -9635,42 +8700,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -9683,12 +8741,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -9703,32 +8759,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -9759,11 +8810,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -9771,58 +8821,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -9835,20 +8876,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -9868,42 +8906,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -9916,12 +8947,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -9936,32 +8965,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -9980,10 +9004,10 @@ spec: description: APIVersion specifies resource apiVersion. type: string clone: - description: Clone specifies the source resource used to - populate each generated resource. At most one of Data - or Clone can be specified. If neither are provided, the - generated resource will be created with default data only. + description: |- + Clone specifies the source resource used to populate each generated resource. + At most one of Data or Clone can be specified. If neither are provided, the generated + resource will be created with default data only. properties: name: description: Name specifies name of the resource. @@ -10005,34 +9029,33 @@ spec: description: Namespace specifies source resource namespace. type: string selector: - description: Selector is a label selector. Label keys - and values in `matchLabels`. wildcard characters are - not supported. + description: |- + Selector is a label selector. Label keys and values in `matchLabels`. + wildcard characters are not supported. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -10044,21 +9067,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object data: - description: Data provides the resource declaration used - to populate each generated resource. At most one of Data - or Clone must be specified. If neither are provided, the - generated resource will be created with default data only. + description: |- + Data provides the resource declaration used to populate each generated resource. + At most one of Data or Clone must be specified. If neither are provided, the generated + resource will be created with default data only. x-kubernetes-preserve-unknown-fields: true kind: description: Kind specifies resource kind. @@ -10070,12 +9091,11 @@ spec: description: Namespace specifies resource namespace. type: string synchronize: - description: Synchronize controls if generated resources - should be kept in-sync with their source resource. If - Synchronize is set to "true" changes to generated resources - will be overwritten with resource data from Data or the - resource specified in the Clone declaration. Optional. - Defaults to "false" if not specified. + description: |- + Synchronize controls if generated resources should be kept in-sync with their source resource. + If Synchronize is set to "true" changes to generated resources will be overwritten with resource + data from Data or the resource specified in the Clone declaration. + Optional. Defaults to "false" if not specified. type: boolean uid: description: UID specifies the resource uid. @@ -10086,50 +9106,47 @@ spec: items: properties: jmesPath: - description: 'JMESPath is an optional JMESPath expression - to apply to the image value. This is useful when the - extracted image begins with a prefix like ''docker://''. - The ''trim_prefix'' function may be used to trim the - prefix: trim_prefix(@, ''docker://''). Note - Image - digest mutation may not be used when applying a JMESPAth - to an image.' + description: |- + JMESPath is an optional JMESPath expression to apply to the image value. + This is useful when the extracted image begins with a prefix like 'docker://'. + The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://'). + Note - Image digest mutation may not be used when applying a JMESPAth to an image. type: string key: - description: Key is an optional name of the field within - 'path' that will be used to uniquely identify an image. + description: |- + Key is an optional name of the field within 'path' that will be used to uniquely identify an image. Note - this field MUST be unique. type: string name: - description: Name is the entry the image will be available - under 'images.' in the context. If this field - is not defined, image entries will appear under 'images.custom'. + description: |- + Name is the entry the image will be available under 'images.' in the context. + If this field is not defined, image entries will appear under 'images.custom'. type: string path: - description: Path is the path to the object containing - the image field in a custom resource. It should be - slash-separated. Each slash-separated key must be - a valid YAML key or a wildcard '*'. Wildcard keys - are expanded in case of arrays or objects. + description: |- + Path is the path to the object containing the image field in a custom resource. + It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'. + Wildcard keys are expanded in case of arrays or objects. type: string value: - description: Value is an optional name of the field - within 'path' that points to the image URI. This is - useful when a custom 'key' is also defined. + description: |- + Value is an optional name of the field within 'path' that points to the image URI. + This is useful when a custom 'key' is also defined. type: string required: - path type: object type: array - description: ImageExtractors defines a mapping from kinds to - ImageExtractorConfigs. This config is only valid for verifyImages - rules. + description: |- + ImageExtractors defines a mapping from kinds to ImageExtractorConfigs. + This config is only valid for verifyImages rules. type: object match: - description: MatchResources defines when this policy rule should - be applied. The match criteria can include resource information - (e.g. kind, name, namespace, labels) and admission review - request information like the user name or role. At least one - kind is required. + description: |- + MatchResources defines when this policy rule should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. + At least one kind is required. properties: all: description: All allows specifying resources which will @@ -10151,11 +9168,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -10163,58 +9179,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -10227,20 +9234,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -10260,42 +9264,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -10308,12 +9305,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -10328,32 +9323,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -10384,11 +9374,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -10396,58 +9385,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -10460,20 +9440,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -10493,42 +9470,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -10541,12 +9511,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -10561,32 +9529,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -10615,15 +9578,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data @@ -10645,14 +9607,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -10667,25 +9627,24 @@ spec: JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate the server certificate. type: string url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -10703,8 +9662,8 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. properties: imageRegistryCredentials: @@ -10717,11 +9676,9 @@ spec: insecure access to a registry. type: boolean providers: - description: 'Providers specifies a - list of OCI Registry names, whose - authentication providers are provided. - It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -10735,23 +9692,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list - of secrets that are provided for credentials. + description: |- + Secrets specifies a list of secrets that are provided for credentials. Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -10764,15 +9721,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON @@ -10785,42 +9741,41 @@ spec: description: Foreach declares a nested foreach iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which the - validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string order: - description: Order defines the iteration order on - the list. Can be Ascending to iterate from first - to last element or Descending to iterate in from - last to first element. + description: |- + Order defines the iteration order on the list. + Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element. enum: - Ascending - Descending type: string patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge - patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 - JSON Patch declarations used to modify resources. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, all of the conditions need to - pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -10834,13 +9789,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -10860,20 +9813,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, at least one of the conditions - need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -10887,13 +9838,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -10913,10 +9862,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -10925,14 +9873,15 @@ spec: type: object type: array patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge patch - used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON - Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string targets: description: Targets defines the target resources to be @@ -10948,15 +9897,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data @@ -10978,14 +9926,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -11000,25 +9946,24 @@ spec: JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate the server certificate. type: string url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -11036,8 +9981,8 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. properties: imageRegistryCredentials: @@ -11050,11 +9995,9 @@ spec: insecure access to a registry. type: boolean providers: - description: 'Providers specifies a - list of OCI Registry names, whose - authentication providers are provided. - It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -11068,23 +10011,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list - of secrets that are provided for credentials. + description: |- + Secrets specifies a list of secrets that are provided for credentials. Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -11097,15 +10040,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON @@ -11124,13 +10066,12 @@ spec: description: Namespace specifies resource namespace. type: string preconditions: - description: 'Preconditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. A direct list - of conditions (without `any` or `all` statements - is supported for backwards compatibility but will - be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true uid: description: UID specifies the resource uid. @@ -11144,17 +10085,17 @@ spec: maxLength: 63 type: string preconditions: - description: 'Preconditions are used to determine if a policy - rule should be applied by evaluating a set of conditions. - The declaration can contain nested `any` or `all` statements. - See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based conditional - rule execution. This is useful for finer control of when - an rule is applied. A condition can reference object data - using JMESPath notation. Here, all of the conditions need - to pass. + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass. items: properties: key: @@ -11165,11 +10106,11 @@ spec: description: Message is an optional display message type: string operator: - description: 'Operator is the conditional operation - to perform. Valid operators are: Equals, NotEquals, - In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -11187,18 +10128,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, or set - of values. The values can be fixed set or can be - variables declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based conditional - rule execution. This is useful for finer control of when - an rule is applied. A condition can reference object data - using JMESPath notation. Here, at least one of the conditions - need to pass. + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass. items: properties: key: @@ -11209,11 +10150,11 @@ spec: description: Message is an optional display message type: string operator: - description: 'Operator is the conditional operation - to perform. Valid operators are: Equals, NotEquals, - In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -11231,27 +10172,27 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, or set - of values. The values can be fixed set or can be - variables declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array type: object skipBackgroundRequests: default: true - description: SkipBackgroundRequests bypasses admission requests - that are sent by the background controller. The default value - is set to "true", it must be set to "false" to apply generate - and mutateExisting rules to those requests. + description: |- + SkipBackgroundRequests bypasses admission requests that are sent by the background controller. + The default value is set to "true", it must be set to "false" to apply + generate and mutateExisting rules to those requests. type: boolean validate: description: Validation is used to validate matching resources. properties: anyPattern: - description: AnyPattern specifies list of validation patterns. - At least one of the patterns must be satisfied for the - validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true cel: description: CEL allows validation checks using the Common @@ -11266,39 +10207,45 @@ spec: an audit annotation for an API request. properties: key: - description: "key specifies the audit annotation - key. The audit annotation keys of a ValidatingAdmissionPolicy - must be unique. The key must be a qualified - name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than - 63 bytes in length. \n The key is combined with - the resource name of the ValidatingAdmissionPolicy - to construct an audit annotation key: \"{ValidatingAdmissionPolicy - name}/{key}\". \n If an admission webhook uses - the same resource name as this ValidatingAdmissionPolicy - and the same audit annotation key, the annotation - key will be identical. In this case, the first - annotation written with the key will be included - in the audit event and all subsequent annotations - with the same key will be discarded. \n Required." + description: |- + key specifies the audit annotation key. The audit annotation keys of + a ValidatingAdmissionPolicy must be unique. The key must be a qualified + name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length. + + + The key is combined with the resource name of the + ValidatingAdmissionPolicy to construct an audit annotation key: + "{ValidatingAdmissionPolicy name}/{key}". + + + If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy + and the same audit annotation key, the annotation key will be identical. + In this case, the first annotation written with the key will be included + in the audit event and all subsequent annotations with the same key + will be discarded. + + + Required. type: string valueExpression: - description: "valueExpression represents the expression - which is evaluated by CEL to produce an audit - annotation value. The expression must evaluate - to either a string or null value. If the expression - evaluates to a string, the audit annotation - is included with the string value. If the expression - evaluates to null or empty string the audit - annotation will be omitted. The valueExpression - may be no longer than 5kb in length. If the - result of the valueExpression is more than 10kb - in length, it will be truncated to 10kb. \n - If multiple ValidatingAdmissionPolicyBinding - resources match an API request, then the valueExpression - will be evaluated for each binding. All unique - values produced by the valueExpressions will - be joined together in a comma-separated list. - \n Required." + description: |- + valueExpression represents the expression which is evaluated by CEL to + produce an audit annotation value. The expression must evaluate to either + a string or null value. If the expression evaluates to a string, the + audit annotation is included with the string value. If the expression + evaluates to null or empty string the audit annotation will be omitted. + The valueExpression may be no longer than 5kb in length. + If the result of the valueExpression is more than 10kb in length, it + will be truncated to 10kb. + + + If multiple ValidatingAdmissionPolicyBinding resources match an + API request, then the valueExpression will be evaluated for + each binding. All unique values produced by the valueExpressions + will be joined together in a comma-separated list. + + + Required. type: string required: - key @@ -11314,113 +10261,99 @@ spec: properties: expression: description: "Expression represents the expression - which will be evaluated by CEL. ref: https://github.com/google/cel-spec - CEL expressions have access to the contents - of the API request/response, organized into - CEL variables as well as some other useful variables: - \n - 'object' - The object from the incoming - request. The value is null for DELETE requests. - - 'oldObject' - The existing object. The value - is null for CREATE requests. - 'request' - Attributes - of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - - 'params' - Parameter resource referred to - by the policy binding being evaluated. Only - populated if the policy has a ParamKind. - 'namespaceObject' + which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL + expressions have access to the contents of the + API request/response, organized into CEL variables + as well as some other useful variables:\n\n\n- + 'object' - The object from the incoming request. + The value is null for DELETE requests.\n- 'oldObject' + - The existing object. The value is null for + CREATE requests.\n- 'request' - Attributes of + the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- + 'params' - Parameter resource referred to by + the policy binding being evaluated. Only populated + if the policy has a ParamKind.\n- 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped - resources. - 'variables' - Map of composited + resources.\n- 'variables' - Map of composited variables, from its name to its lazily evaluated - value. For example, a variable named 'foo' can - be accessed as 'variables.foo'. - 'authorizer' + value.\n For example, a variable named 'foo' + can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) - of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - - 'authorizer.requestResource' - A CEL ResourceCheck + of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured - with the request resource. \n The `apiVersion`, + with the\n request resource.\n\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` - are always accessible from the root of the object. - No other metadata properties are accessible. - \n Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` - are accessible. Accessible property names are + are always accessible from the root of the\nobject. + No other metadata properties are accessible.\n\n\nOnly + property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` + are accessible.\nAccessible property names are escaped according to the following rules when - accessed in the expression: - '__' escapes to - '__underscores__' - '.' escapes to '__dot__' - - '-' escapes to '__dash__' - '/' escapes to - '__slash__' - Property names that exactly match + accessed in the expression:\n- '__' escapes + to '__underscores__'\n- '.' escapes to '__dot__'\n- + '-' escapes to '__dash__'\n- '/' escapes to + '__slash__'\n- Property names that exactly match a CEL RESERVED keyword escape to '__{keyword}__'. - The keywords are: \"true\", \"false\", \"null\", - \"in\", \"as\", \"break\", \"const\", \"continue\", - \"else\", \"for\", \"function\", \"if\", \"import\", - \"let\", \"loop\", \"package\", \"namespace\", - \"return\". Examples: - Expression accessing - a property named \"namespace\": {\"Expression\": - \"object.__namespace__ > 0\"} - Expression accessing - a property named \"x-prop\": {\"Expression\": - \"object.x__dash__prop > 0\"} - Expression accessing - a property named \"redact__d\": {\"Expression\": - \"object.redact__underscores__d > 0\"} \n Equality - on arrays with list type of 'set' or 'map' ignores - element order, i.e. [1, 2] == [2, 1]. Concatenation - on arrays with x-kubernetes-list-type use the - semantics of the list type: - 'set': `X + Y` - performs a union where the array positions of - all elements in `X` are preserved and non-intersecting + The keywords are:\n\t \"true\", \"false\", + \"null\", \"in\", \"as\", \"break\", \"const\", + \"continue\", \"else\", \"for\", \"function\", + \"if\",\n\t \"import\", \"let\", \"loop\", + \"package\", \"namespace\", \"return\".\nExamples:\n + \ - Expression accessing a property named \"namespace\": + {\"Expression\": \"object.__namespace__ > 0\"}\n + \ - Expression accessing a property named \"x-prop\": + {\"Expression\": \"object.x__dash__prop > 0\"}\n + \ - Expression accessing a property named \"redact__d\": + {\"Expression\": \"object.redact__underscores__d + > 0\"}\n\n\nEquality on arrays with list type + of 'set' or 'map' ignores element order, i.e. + [1, 2] == [2, 1].\nConcatenation on arrays with + x-kubernetes-list-type use the semantics of + the list type:\n - 'set': `X + Y` performs + a union where the array positions of all elements + in `X` are preserved and\n non-intersecting elements in `Y` are appended, retaining their - partial order. - 'map': `X + Y` performs a merge - where the array positions of all keys in `X` - are preserved but the values are overwritten - by values in `Y` when the key sets of `X` and - `Y` intersect. Elements in `Y` with non-intersecting - keys are appended, retaining their partial order. - Required." + partial order.\n - 'map': `X + Y` performs + a merge where the array positions of all keys + in `X` are preserved but the values\n are + overwritten by values in `Y` when the key sets + of `X` and `Y` intersect. Elements in `Y` with\n + \ non-intersecting keys are appended, retaining + their partial order.\nRequired." type: string message: - description: 'Message represents the message displayed - when validation fails. The message is required - if the Expression contains line breaks. The - message must not contain line breaks. If unset, - the message is "failed rule: {Rule}". e.g. "must - be a URL with the host matching spec.host" If - the Expression contains line breaks. Message - is required. The message must not contain line - breaks. If unset, the message is "failed Expression: - {Expression}".' + description: |- + Message represents the message displayed when validation fails. The message is required if the Expression contains + line breaks. The message must not contain line breaks. + If unset, the message is "failed rule: {Rule}". + e.g. "must be a URL with the host matching spec.host" + If the Expression contains line breaks. Message is required. + The message must not contain line breaks. + If unset, the message is "failed Expression: {Expression}". type: string messageExpression: - description: 'messageExpression declares a CEL - expression that evaluates to the validation - failure message that is returned when this rule - fails. Since messageExpression is used as a - failure message, it must evaluate to a string. - If both message and messageExpression are present - on a validation, then messageExpression will - be used if validation fails. If messageExpression - results in a runtime error, the runtime error - is logged, and the validation failure message - is produced as if the messageExpression field - were unset. If messageExpression evaluates to - an empty string, a string with only spaces, - or a string that contains line breaks, then - the validation failure message will also be - produced as if the messageExpression field were - unset, and the fact that messageExpression produced - an empty string/string with only spaces/string - with line breaks will be logged. messageExpression - has access to all the same variables as the - `expression` except for ''authorizer'' and ''authorizer.requestResource''. - Example: "object.x must be less than max ("+string(params.max)+")"' + description: |- + messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. + Since messageExpression is used as a failure message, it must evaluate to a string. + If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. + If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced + as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string + that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and + the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. + messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'. + Example: + "object.x must be less than max ("+string(params.max)+")" type: string reason: - description: 'Reason represents a machine-readable - description of why this validation failed. If - this is the first validation in the list to - fail, this reason, as well as the corresponding - HTTP response code, are used in the HTTP response - to the client. The currently supported reasons - are: "Unauthorized", "Forbidden", "Invalid", - "RequestEntityTooLarge". If not set, StatusReasonInvalid - is used in the response to the client.' + description: |- + Reason represents a machine-readable description of why this validation failed. + If this is the first validation in the list to fail, this reason, as well as the + corresponding HTTP response code, are used in the + HTTP response to the client. + The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge". + If not set, StatusReasonInvalid is used in the response to the client. type: string required: - expression @@ -11431,13 +10364,15 @@ spec: Version. properties: apiVersion: - description: APIVersion is the API group version - the resources belong to. In format of "group/version". + description: |- + APIVersion is the API group version the resources belong to. + In format of "group/version". Required. type: string kind: - description: Kind is the API kind the resources - belong to. Required. + description: |- + Kind is the API kind the resources belong to. + Required. type: string type: object x-kubernetes-map-type: atomic @@ -11445,77 +10380,82 @@ spec: description: ParamRef references a parameter resource. properties: name: - description: "`name` is the name of the resource - being referenced. \n `name` and `selector` are - mutually exclusive properties. If one is set, - the other must be unset." + description: |- + `name` is the name of the resource being referenced. + + + `name` and `selector` are mutually exclusive properties. If one is set, + the other must be unset. type: string namespace: - description: "namespace is the namespace of the - referenced resource. Allows limiting the search - for params to a specific namespace. Applies to - both `name` and `selector` fields. \n A per-namespace - parameter may be used by specifying a namespace-scoped - `paramKind` in the policy and leaving this field - empty. \n - If `paramKind` is cluster-scoped, - this field MUST be unset. Setting this field results - in a configuration error. \n - If `paramKind` - is namespace-scoped, the namespace of the object - being evaluated for admission will be used when - this field is left unset. Take care that if this - is left empty the binding must not match any cluster-scoped - resources, which will result in an error." + description: |- + namespace is the namespace of the referenced resource. Allows limiting + the search for params to a specific namespace. Applies to both `name` and + `selector` fields. + + + A per-namespace parameter may be used by specifying a namespace-scoped + `paramKind` in the policy and leaving this field empty. + + + - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this + field results in a configuration error. + + + - If `paramKind` is namespace-scoped, the namespace of the object being + evaluated for admission will be used when this field is left unset. Take + care that if this is left empty the binding must not match any cluster-scoped + resources, which will result in an error. type: string parameterNotFoundAction: - description: "`parameterNotFoundAction` controls - the behavior of the binding when the resource - exists, and name or selector is valid, but there - are no parameters matched by the binding. If the - value is set to `Allow`, then no matched parameters - will be treated as successful validation by the - binding. If set to `Deny`, then no matched parameters - will be subject to the `failurePolicy` of the - policy. \n Allowed values are `Allow` or `Deny` - Default to `Deny`" + description: |- + `parameterNotFoundAction` controls the behavior of the binding when the resource + exists, and name or selector is valid, but there are no parameters + matched by the binding. If the value is set to `Allow`, then no + matched parameters will be treated as successful validation by the binding. + If set to `Deny`, then no matched parameters will be subject to the + `failurePolicy` of the policy. + + + Allowed values are `Allow` or `Deny` + Default to `Deny` type: string selector: - description: "selector can be used to match multiple - param objects based on their labels. Supply selector: - {} to match all resources of the ParamKind. \n - If multiple params are found, they are all evaluated - with the policy expressions and the results are - ANDed together. \n One of `name` or `selector` - must be set, but `name` and `selector` are mutually - exclusive properties. If one is set, the other - must be unset." + description: |- + selector can be used to match multiple param objects based on their labels. + Supply selector: {} to match all resources of the ParamKind. + + + If multiple params are found, they are all evaluated with the policy expressions + and the results are ANDed together. + + + One of `name` or `selector` must be set, but `name` and `selector` are + mutually exclusive properties. If one is set, the other must be unset. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -11528,40 +10468,34 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object x-kubernetes-map-type: atomic variables: - description: Variables contain definitions of variables - that can be used in composition of other expressions. + description: |- + Variables contain definitions of variables that can be used in composition of other expressions. Each variable is defined as a named CEL expression. - The variables defined here will be available under - `variables` in other expressions of the policy. + The variables defined here will be available under `variables` in other expressions of the policy. items: description: Variable is the definition of a variable that is used for composition. properties: expression: - description: Expression is the expression that - will be evaluated as the value of the variable. - The CEL expression has access to the same identifiers - as the CEL expressions in Validation. + description: |- + Expression is the expression that will be evaluated as the value of the variable. + The CEL expression has access to the same identifiers as the CEL expressions in Validation. type: string name: - description: Name is the name of the variable. - The name must be a valid CEL identifier and - unique among all variables. The variable can - be accessed in other expressions through `variables` - For example, if name is "foo", the variable - will be available as `variables.foo` + description: |- + Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables. + The variable can be accessed in other expressions through `variables` + For example, if name is "foo", the variable will be available as `variables.foo` type: string required: - expression @@ -11574,14 +10508,15 @@ spec: a validation rule. properties: conditions: - description: 'Multiple conditions can be declared under - an `any` or `all` statement. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + description: |- + Multiple conditions can be declared under an `any` or `all` statement. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A condition - can reference object data using JMESPath notation. + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. Here, all of the conditions need to pass. items: properties: @@ -11594,13 +10529,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators are: - Equals, NotEquals, In, AnyIn, AllIn, NotIn, - AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -11618,17 +10551,17 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A condition - can reference object data using JMESPath notation. + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. Here, at least one of the conditions need to pass. items: properties: @@ -11641,13 +10574,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators are: - Equals, NotEquals, In, AnyIn, AllIn, NotIn, - AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -11665,9 +10596,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -11684,23 +10615,22 @@ spec: the specified logic. properties: anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must be satisfied - for the validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true context: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data @@ -11722,14 +10652,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -11744,25 +10672,24 @@ spec: JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate the server certificate. type: string url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -11780,8 +10707,8 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. properties: imageRegistryCredentials: @@ -11794,11 +10721,9 @@ spec: insecure access to a registry. type: boolean providers: - description: 'Providers specifies a - list of OCI Registry names, whose - authentication providers are provided. - It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -11812,23 +10737,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list - of secrets that are provided for credentials. + description: |- + Secrets specifies a list of secrets that are provided for credentials. Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -11841,15 +10766,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON @@ -11863,47 +10787,43 @@ spec: or fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct - list of conditions (without `any` or `all` statements) - is also supported for backwards compatibility + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object elementScope: - description: ElementScope specifies whether to use - the current list element as the scope for validation. - Defaults to "true" if not specified. When set to - "false", "request.object" is used as the validation - scope within the foreach block to allow referencing - other elements in the subtree. + description: |- + ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified. + When set to "false", "request.object" is used as the validation scope within the foreach + block to allow referencing other elements in the subtree. type: boolean foreach: description: Foreach declares a nested foreach iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which the - validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string pattern: description: Pattern specifies an overlay-style pattern used to check resources. x-kubernetes-preserve-unknown-fields: true preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, all of the conditions need to - pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -11917,13 +10837,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -11943,20 +10861,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, at least one of the conditions - need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -11970,13 +10886,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -11996,10 +10910,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -12021,31 +10934,25 @@ spec: items: properties: count: - description: Count specifies the required number - of entries that must match. If the count is - null, all entries must match (a logical AND). - If the count is 1, at least one entry must match - (a logical OR). If the count contains a value - N, then N must be less than or equal to the - size of entries, and at least N entries must - match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available attestors. - An attestor can be a static key, attributes - for keyless verification, or a nested attestor - declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for image - verification. Every specified key-value - pair must exist and match in the verified - payload. The payload may contain other - key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set of @@ -12066,19 +10973,14 @@ spec: to verify. type: string ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate Timestamps - (SCTs). If the value is unset, the - default behavior by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate - Timestamp (SCT) log to check for - a certificate timestamp. Default - is false. Set to true if this - was opted out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -12086,33 +10988,25 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the root - CA certificate. Optionally may - contain intermediate CA certificates, - and may contain the leaf TSA certificate - if not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use - for a custom Rekor. If set, this - will be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -12123,8 +11017,8 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: @@ -12135,19 +11029,14 @@ spec: signing. type: object ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate Timestamps - (SCTs). If the value is unset, the - default behavior by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate - Timestamp (SCT) log to check for - a certificate timestamp. Default - is false. Set to true if this - was opted out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -12155,14 +11044,10 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the root - CA certificate. Optionally may - contain intermediate CA certificates, - and may contain the leaf TSA certificate - if not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -12170,22 +11055,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use - for a custom Rekor. If set, this - will be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -12195,10 +11076,9 @@ spec: type: string type: object roots: - description: Roots is an optional set - of PEM encoded trusted root certificates. - If not provided, the system roots - are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -12211,19 +11091,14 @@ spec: public keys. properties: ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate Timestamps - (SCTs). If the value is unset, the - default behavior by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate - Timestamp (SCT) log to check for - a certificate timestamp. Default - is false. Set to true if this - was opted out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -12231,57 +11106,41 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the root - CA certificate. Optionally may - contain intermediate CA certificates, - and may contain the leaf TSA certificate - if not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI to - the public key stored in a Key Management - System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image signatures. - The keys can be directly specified - or can be a variable reference to - a key specified in a ConfigMap (see - https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster by - specifying it in the format "k8s:///". - The named Secret must specify a key - `cosign.pub` containing the public - key used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each - key is processed as a separate staticKey - entry (.attestors[*].entries.keys) - within the set of attestors and the - count is applied across the keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use - for a custom Rekor. If set, this - will be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -12315,12 +11174,9 @@ spec: type: string type: object repository: - description: Repository is an optional alternate - OCI repository to use for signatures and - attestations that match this rule. If - specified Repository will override other - OCI image repository locations for this - Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -12361,9 +11217,9 @@ spec: type: object type: array repository: - description: Repository is an optional alternate OCI - repository to use for resource bundle reference. The - repository can be overridden per Attestor or Attestation. + description: |- + Repository is an optional alternate OCI repository to use for resource bundle reference. + The repository can be overridden per Attestor or Attestation. type: string type: object message: @@ -12375,9 +11231,9 @@ spec: used to check resources. x-kubernetes-preserve-unknown-fields: true podSecurity: - description: PodSecurity applies exemptions for Kubernetes - Pod Security admission by specifying exclusions for Pod - Security Standards controls. + description: |- + PodSecurity applies exemptions for Kubernetes Pod Security admission + by specifying exclusions for Pod Security Standards controls. properties: exclude: description: Exclude specifies the Pod Security Standard @@ -12387,8 +11243,9 @@ spec: Security Standard controls to be excluded. properties: controlName: - description: 'ControlName specifies the name of - the Pod Security Standard control. See: https://kubernetes.io/docs/concepts/security/pod-security-standards/' + description: |- + ControlName specifies the name of the Pod Security Standard control. + See: https://kubernetes.io/docs/concepts/security/pod-security-standards/ enum: - HostProcess - Host Namespaces @@ -12407,13 +11264,11 @@ spec: - Running as Non-root user type: string images: - description: 'Images selects matching containers - and applies the container level PSS. Each image - is the image name consisting of the registry - address, repository, image, and tag. Empty list - matches no containers, PSS checks are applied - at the pod level only. Wildcards (''*'' and - ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' + description: |- + Images selects matching containers and applies the container level PSS. + Each image is the image name consisting of the registry address, repository, image, and tag. + Empty list matches no containers, PSS checks are applied at the pod level only. + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -12422,19 +11277,18 @@ spec: type: object type: array level: - description: Level defines the Pod Security Standard - level to be applied to workloads. Allowed values are - privileged, baseline, and restricted. + description: |- + Level defines the Pod Security Standard level to be applied to workloads. + Allowed values are privileged, baseline, and restricted. enum: - privileged - baseline - restricted type: string version: - description: Version defines the Pod Security Standard - versions that Kubernetes supports. Allowed values - are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, - v1.26, latest. Defaults to latest. + description: |- + Version defines the Pod Security Standard versions that Kubernetes supports. + Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, latest. Defaults to latest. enum: - v1.19 - v1.20 @@ -12452,22 +11306,21 @@ spec: description: VerifyImages is used to verify image signatures and mutate them to add a digest items: - description: ImageVerification validates that images that - match the specified pattern are signed with the supplied - public key. Once the image is verified it is mutated to - include the SHA digest retrieved during the registration. + description: |- + ImageVerification validates that images that match the specified pattern + are signed with the supplied public key. Once the image is verified it is + mutated to include the SHA digest retrieved during the registration. properties: attestations: - description: Attestations are optional checks for signed - in-toto Statements used to verify the image. See https://github.com/in-toto/attestation. - Kyverno fetches signed attestations from the OCI registry - and decodes them into a list of Statement declarations. + description: |- + Attestations are optional checks for signed in-toto Statements used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statement declarations. items: - description: Attestation are checks for signed in-toto - Statements that are used to verify the image. See - https://github.com/in-toto/attestation. Kyverno fetches - signed attestations from the OCI registry and decodes - them into a list of Statements. + description: |- + Attestation are checks for signed in-toto Statements that are used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statements. properties: attestors: description: Attestors specify the required attestors @@ -12475,31 +11328,25 @@ spec: items: properties: count: - description: Count specifies the required - number of entries that must match. If the - count is null, all entries must match (a - logical AND). If the count is 1, at least - one entry must match (a logical OR). If - the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or - a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set @@ -12520,21 +11367,14 @@ spec: used to verify. type: string ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -12542,36 +11382,25 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -12582,9 +11411,9 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless - attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: additionalProperties: @@ -12594,21 +11423,14 @@ spec: for keyless signing. type: object ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -12616,15 +11438,10 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -12632,24 +11449,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -12659,10 +11470,9 @@ spec: type: string type: object roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, - the system roots are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -12675,21 +11485,14 @@ spec: public keys. properties: ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -12697,63 +11500,41 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI - to the public key stored in a - Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable - reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -12789,37 +11570,30 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository - will override other OCI image repository - locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array type: object type: array conditions: - description: Conditions are used to verify attributes - within a Predicate. If no Conditions are specified - the attestation check is satisfied as long there - are predicates that match the predicate type. + description: |- + Conditions are used to verify attributes within a Predicate. If no Conditions are specified + the attestation check is satisfied as long there are predicates that match the predicate type. items: - description: AnyAllConditions consists of conditions - wrapped denoting a logical criteria to be fulfilled. - AnyConditions get fulfilled when at least one - of its sub-conditions passes. AllConditions - get fulfilled only when all of its sub-conditions - pass. + description: |- + AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled. + AnyConditions get fulfilled when at least one of its sub-conditions passes. + AllConditions get fulfilled only when all of its sub-conditions pass. properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -12834,14 +11608,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -12861,20 +11632,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -12889,14 +11658,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -12916,10 +11682,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -12941,29 +11706,25 @@ spec: items: properties: count: - description: Count specifies the required number - of entries that must match. If the count is null, - all entries must match (a logical AND). If the - count is 1, at least one entry must match (a logical - OR). If the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available attestors. - An attestor can be a static key, attributes for - keyless verification, or a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for image - verification. Every specified key-value - pair must exist and match in the verified - payload. The payload may contain other key-value - pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set of Attestor @@ -12984,19 +11745,14 @@ spec: to verify. type: string ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for validation - of Signed Certificate Timestamps (SCTs). - If the value is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate Timestamp - (SCT) log to check for a certificate - timestamp. Default is false. Set - to true if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is used @@ -13004,33 +11760,25 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate chain - file for the RFC3161 timestamp authority. - Must contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use for - a custom Rekor. If set, this will - be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address of @@ -13040,8 +11788,8 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: @@ -13052,19 +11800,14 @@ spec: signing. type: object ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for validation - of Signed Certificate Timestamps (SCTs). - If the value is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate Timestamp - (SCT) log to check for a certificate - timestamp. Default is false. Set - to true if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is used @@ -13072,14 +11815,10 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate chain - file for the RFC3161 timestamp authority. - Must contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -13087,22 +11826,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use for - a custom Rekor. If set, this will - be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address of @@ -13111,10 +11846,9 @@ spec: type: string type: object roots: - description: Roots is an optional set - of PEM encoded trusted root certificates. - If not provided, the system roots are - used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified identity @@ -13127,19 +11861,14 @@ spec: keys. properties: ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for validation - of Signed Certificate Timestamps (SCTs). - If the value is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate Timestamp - (SCT) log to check for a certificate - timestamp. Default is false. Set - to true if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is used @@ -13147,56 +11876,41 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate chain - file for the RFC3161 timestamp authority. - Must contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI to - the public key stored in a Key Management - System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 public - keys used to verify image signatures. - The keys can be directly specified or - can be a variable reference to a key - specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes Secret - elsewhere in the cluster by specifying - it in the format "k8s:///". - The named Secret must specify a key - `cosign.pub` containing the public key - used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each - key is processed as a separate staticKey - entry (.attestors[*].entries.keys) within - the set of attestors and the count is - applied across the keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use for - a custom Rekor. If set, this will - be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address of @@ -13229,24 +11943,20 @@ spec: type: string type: object repository: - description: Repository is an optional alternate - OCI repository to use for signatures and - attestations that match this rule. If specified - Repository will override other OCI image - repository locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array type: object type: array imageReferences: - description: 'ImageReferences is a list of matching image - reference patterns. At least one pattern in the list - must match the image for the rule to apply. Each image - reference consists of a registry address (defaults to - docker.io), repository, image, and tag (defaults to - latest). Wildcards (''*'' and ''?'') are allowed. See: - https://kubernetes.io/docs/concepts/containers/images.' + description: |- + ImageReferences is a list of matching image reference patterns. At least one pattern in the + list must match the image for the rule to apply. Each image reference consists of a registry + address (defaults to docker.io), repository, image, and tag (defaults to latest). + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -13259,9 +11969,9 @@ spec: access to a registry. type: boolean providers: - description: 'Providers specifies a list of OCI Registry - names, whose authentication providers are provided. - It can be of one of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers required. @@ -13274,25 +11984,24 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets that - are provided for credentials. Secrets must live - in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object mutateDigest: default: true - description: MutateDigest enables replacement of image - tags with digests. Defaults to true. + description: |- + MutateDigest enables replacement of image tags with digests. + Defaults to true. type: boolean repository: - description: Repository is an optional alternate OCI repository - to use for image signatures and attestations that match - this rule. If specified Repository will override the - default OCI image repository configured for the installation. - The repository can also be overridden per Attestor or - Attestation. + description: |- + Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule. + If specified Repository will override the default OCI image repository configured for the installation. + The repository can also be overridden per Attestor or Attestation. type: string required: default: true @@ -13301,9 +12010,9 @@ spec: check. type: boolean type: - description: Type specifies the method of signature validation. - The allowed options are Cosign and Notary. By default - Cosign is used if a type is not specified. + description: |- + Type specifies the method of signature validation. The allowed options + are Cosign and Notary. By default Cosign is used if a type is not specified. enum: - Cosign - Notary @@ -13325,23 +12034,23 @@ spec: type: object type: array schemaValidation: - description: SchemaValidation skips validation checks for policies - as well as patched resources. Optional. The default value is set - to "true", it must be set to "false" to disable the validation checks. + description: |- + SchemaValidation skips validation checks for policies as well as patched resources. + Optional. The default value is set to "true", it must be set to "false" to disable the validation checks. type: boolean useServerSideApply: - description: UseServerSideApply controls whether to use server-side - apply for generate rules If is set to "true" create & update for - generate rules will use apply instead of create/update. Defaults - to "false" if not specified. + description: |- + UseServerSideApply controls whether to use server-side apply for generate rules + If is set to "true" create & update for generate rules will use apply instead of create/update. + Defaults to "false" if not specified. type: boolean validationFailureAction: default: Audit - description: ValidationFailureAction defines if a validation policy - rule violation should block the admission review request (enforce), - or allow (audit) the admission review request and report an error - in a policy report. Optional. Allowed values are audit or enforce. - The default value is "Audit". + description: |- + ValidationFailureAction defines if a validation policy rule violation should block + the admission review request (enforce), or allow (audit) the admission review request + and report an error in a policy report. Optional. + Allowed values are audit or enforce. The default value is "Audit". enum: - audit - enforce @@ -13349,9 +12058,9 @@ spec: - Enforce type: string validationFailureActionOverrides: - description: ValidationFailureActionOverrides is a Cluster Policy - attribute that specifies ValidationFailureAction namespace-wise. - It overrides ValidationFailureAction for the specified namespaces. + description: |- + ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction + namespace-wise. It overrides ValidationFailureAction for the specified namespaces. items: properties: action: @@ -13364,34 +12073,34 @@ spec: - Enforce type: string namespaceSelector: - description: A label selector is a label query over a set of - resources. The result of matchLabels and matchExpressions - are ANDed. An empty label selector matches all objects. A - null label selector matches no objects. + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. - If the operator is In or NotIn, the values array - must be non-empty. If the operator is Exists or - DoesNotExist, the values array must be empty. This - array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -13403,11 +12112,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -13418,11 +12126,10 @@ spec: type: object type: array webhookTimeoutSeconds: - description: WebhookTimeoutSeconds specifies the maximum time in seconds - allowed to apply this policy. After the configured time expires, - the admission request may fail, or may simply ignore the policy - results, based on the failure policy. The default timeout is 10s, - the value must be between 1 and 30 seconds. + description: |- + WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. + After the configured time expires, the admission request may fail, or may simply ignore the policy results, + based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds. format: int32 type: integer type: object @@ -13436,51 +12143,49 @@ spec: description: Rules is a list of Rule instances. It contains auto generated rules added for pod controllers items: - description: Rule defines a validation, mutation, or generation - control for matching resources. Each rules contains a match - declaration to select resources, and an optional exclude declaration - to specify which resources to exclude. + description: |- + Rule defines a validation, mutation, or generation control for matching resources. + Each rules contains a match declaration to select resources, and an optional exclude + declaration to specify which resources to exclude. properties: celPreconditions: - description: CELPreconditions are used to determine if a - policy rule should be applied by evaluating a set of CEL - conditions. It can only be used with the validate.cel - subrule + description: |- + CELPreconditions are used to determine if a policy rule should be applied by evaluating a + set of CEL conditions. It can only be used with the validate.cel subrule items: description: MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook. properties: expression: - description: "Expression represents the expression - which will be evaluated by CEL. Must evaluate to - bool. CEL expressions have access to the contents - of the AdmissionRequest and Authorizer, organized - into CEL variables: \n 'object' - The object from - the incoming request. The value is null for DELETE - requests. 'oldObject' - The existing object. The - value is null for CREATE requests. 'request' - Attributes - of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). - 'authorizer' - A CEL Authorizer. May be used to - perform authorization checks for the principal (user - or service account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - 'authorizer.requestResource' - A CEL ResourceCheck - constructed from the 'authorizer' and configured - with the request resource. Documentation on CEL: - https://kubernetes.io/docs/reference/using-api/cel/ - \n Required." + description: |- + Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. + CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: + + + 'object' - The object from the incoming request. The value is null for DELETE requests. + 'oldObject' - The existing object. The value is null for CREATE requests. + 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. + See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the + request resource. + Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ + + + Required. type: string name: - description: "Name is an identifier for this match - condition, used for strategic merging of MatchConditions, - as well as providing an identifier for logging purposes. - A good name should be descriptive of the associated - expression. Name must be a qualified name consisting - of alphanumeric characters, '-', '_' or '.', and - must start and end with an alphanumeric character - (e.g. 'MyName', or 'my.name', or '123-abc', regex - used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') - with an optional DNS subdomain prefix and '/' (e.g. - 'example.com/MyName') \n Required." + description: |- + Name is an identifier for this match condition, used for strategic merging of MatchConditions, + as well as providing an identifier for logging purposes. A good name should be descriptive of + the associated expression. + Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and + must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or + '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an + optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') + + + Required. type: string required: - expression @@ -13491,15 +12196,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data sources - to a rule Context. Either a ConfigMap reference or a - APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the Kubernetes - API server, or other JSON web service. The data - returned is stored in the context with the name - for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data sent @@ -13521,13 +12225,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON Match - Expression that can be used to transform the - JSON response returned from the server. For - example a JMESPath of "items | length(@)" applied - to the API server response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across - all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -13542,23 +12245,24 @@ spec: web service properties: caBundle: - description: CABundle is a PEM encoded CA - bundle which will be used to validate the - server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web service URL. - A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to be used - in the HTTP GET or POST request to the Kubernetes - API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used - by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -13575,8 +12279,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests to an - OCI/Docker V2 registry to fetch image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials provides @@ -13588,10 +12293,9 @@ spec: insecure access to a registry. type: boolean providers: - description: 'Providers specifies a list of - OCI Registry names, whose authentication - providers are provided. It can be of one - of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers @@ -13605,23 +12309,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets - that are provided for credentials. Secrets - must live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON Match - Expression that can be used to transform the - ImageData struct returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference to - a container image in the registry. Example: - ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -13634,14 +12338,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take if the - JMESPath expression evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform the - variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON object @@ -13651,11 +12355,10 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when this policy rule - should not be applied. The exclude criteria can include - resource information (e.g. kind, name, namespace, labels) - and admission review request information like the name - or role. + description: |- + ExcludeResources defines when this policy rule should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. properties: all: description: All allows specifying resources which will @@ -13677,10 +12380,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -13689,60 +12391,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -13755,20 +12446,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -13789,44 +12477,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -13839,12 +12518,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -13859,36 +12536,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -13918,10 +12587,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -13930,60 +12598,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -13996,20 +12653,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -14030,44 +12684,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -14080,12 +12725,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -14100,36 +12743,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -14146,21 +12781,19 @@ spec: type: string type: array resources: - description: ResourceDescription contains information - about the resource being created or modified. Requires - at least one tag to be specified when under MatchResources. - Specifying ResourceDescription directly under match - is being deprecated. Please specify under "any" or - "all" instead. + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" - (matches zero or many characters) and "?" (matches - at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -14168,57 +12801,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated in - favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key and - value but does not match an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -14231,20 +12856,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -14264,42 +12886,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) - and `?` (matches one character). Wildcards allows - writing label selectors like ["storage.k8s.io/*": - "*"]. Note that using ["*" : "*"] matches any - key and value but does not match an empty label - set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -14312,12 +12927,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -14332,32 +12945,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or - a value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the - referenced subject. Defaults to "" for ServiceAccount - subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the - Authorizer should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -14373,11 +12982,10 @@ spec: description: APIVersion specifies resource apiVersion. type: string clone: - description: Clone specifies the source resource used - to populate each generated resource. At most one of - Data or Clone can be specified. If neither are provided, - the generated resource will be created with default - data only. + description: |- + Clone specifies the source resource used to populate each generated resource. + At most one of Data or Clone can be specified. If neither are provided, the generated + resource will be created with default data only. properties: name: description: Name specifies name of the resource. @@ -14401,37 +13009,33 @@ spec: namespace. type: string selector: - description: Selector is a label selector. Label - keys and values in `matchLabels`. wildcard characters - are not supported. + description: |- + Selector is a label selector. Label keys and values in `matchLabels`. + wildcard characters are not supported. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -14444,22 +13048,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object data: - description: Data provides the resource declaration - used to populate each generated resource. At most - one of Data or Clone must be specified. If neither - are provided, the generated resource will be created - with default data only. + description: |- + Data provides the resource declaration used to populate each generated resource. + At most one of Data or Clone must be specified. If neither are provided, the generated + resource will be created with default data only. x-kubernetes-preserve-unknown-fields: true kind: description: Kind specifies resource kind. @@ -14471,11 +13072,10 @@ spec: description: Namespace specifies resource namespace. type: string synchronize: - description: Synchronize controls if generated resources - should be kept in-sync with their source resource. - If Synchronize is set to "true" changes to generated - resources will be overwritten with resource data from - Data or the resource specified in the Clone declaration. + description: |- + Synchronize controls if generated resources should be kept in-sync with their source resource. + If Synchronize is set to "true" changes to generated resources will be overwritten with resource + data from Data or the resource specified in the Clone declaration. Optional. Defaults to "false" if not specified. type: boolean uid: @@ -14487,50 +13087,46 @@ spec: items: properties: jmesPath: - description: 'JMESPath is an optional JMESPath expression - to apply to the image value. This is useful when - the extracted image begins with a prefix like - ''docker://''. The ''trim_prefix'' function may - be used to trim the prefix: trim_prefix(@, ''docker://''). - Note - Image digest mutation may not be used when - applying a JMESPAth to an image.' + description: |- + JMESPath is an optional JMESPath expression to apply to the image value. + This is useful when the extracted image begins with a prefix like 'docker://'. + The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://'). + Note - Image digest mutation may not be used when applying a JMESPAth to an image. type: string key: - description: Key is an optional name of the field - within 'path' that will be used to uniquely identify - an image. Note - this field MUST be unique. + description: |- + Key is an optional name of the field within 'path' that will be used to uniquely identify an image. + Note - this field MUST be unique. type: string name: - description: Name is the entry the image will be - available under 'images.' in the context. - If this field is not defined, image entries will - appear under 'images.custom'. + description: |- + Name is the entry the image will be available under 'images.' in the context. + If this field is not defined, image entries will appear under 'images.custom'. type: string path: - description: Path is the path to the object containing - the image field in a custom resource. It should - be slash-separated. Each slash-separated key must - be a valid YAML key or a wildcard '*'. Wildcard - keys are expanded in case of arrays or objects. + description: |- + Path is the path to the object containing the image field in a custom resource. + It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'. + Wildcard keys are expanded in case of arrays or objects. type: string value: - description: Value is an optional name of the field - within 'path' that points to the image URI. This - is useful when a custom 'key' is also defined. + description: |- + Value is an optional name of the field within 'path' that points to the image URI. + This is useful when a custom 'key' is also defined. type: string required: - path type: object type: array - description: ImageExtractors defines a mapping from kinds - to ImageExtractorConfigs. This config is only valid for - verifyImages rules. + description: |- + ImageExtractors defines a mapping from kinds to ImageExtractorConfigs. + This config is only valid for verifyImages rules. type: object match: - description: MatchResources defines when this policy rule - should be applied. The match criteria can include resource - information (e.g. kind, name, namespace, labels) and admission - review request information like the user name or role. + description: |- + MatchResources defines when this policy rule should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. At least one kind is required. properties: all: @@ -14553,10 +13149,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -14565,60 +13160,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -14631,20 +13215,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -14665,44 +13246,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -14715,12 +13287,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -14735,36 +13305,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -14794,10 +13356,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -14806,60 +13367,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -14872,20 +13422,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -14906,44 +13453,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -14956,12 +13494,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -14976,36 +13512,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -15022,21 +13550,19 @@ spec: type: string type: array resources: - description: ResourceDescription contains information - about the resource being created or modified. Requires - at least one tag to be specified when under MatchResources. - Specifying ResourceDescription directly under match - is being deprecated. Please specify under "any" or - "all" instead. + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" - (matches zero or many characters) and "?" (matches - at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -15044,57 +13570,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated in - favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key and - value but does not match an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -15107,20 +13625,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -15140,42 +13655,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) - and `?` (matches one character). Wildcards allows - writing label selectors like ["storage.k8s.io/*": - "*"]. Note that using ["*" : "*"] matches any - key and value but does not match an empty label - set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -15188,12 +13696,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -15208,32 +13714,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or - a value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the - referenced subject. Defaults to "" for ServiceAccount - subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the - Authorizer should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -15260,16 +13762,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST @@ -15292,15 +13792,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -15315,25 +13812,23 @@ spec: to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web - service URL. A typical form is + description: |- + URL is the JSON web service URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string @@ -15353,9 +13848,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials @@ -15367,11 +13862,9 @@ spec: allows insecure access to a registry. type: boolean providers: - description: 'Providers specifies - a list of OCI Registry names, - whose authentication providers - are provided. It can be of one - of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -15385,25 +13878,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a - list of secrets that are provided - for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -15417,15 +13908,14 @@ spec: defined inline. properties: default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary @@ -15440,43 +13930,41 @@ spec: iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which - the validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string order: - description: Order defines the iteration order - on the list. Can be Ascending to iterate from - first to last element or Descending to iterate - in from last to first element. + description: |- + Order defines the iteration order on the list. + Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element. enum: - Ascending - Descending type: string patchStrategicMerge: - description: PatchStrategicMerge is a strategic - merge patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC - 6902 JSON Patch declarations used to modify - resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -15491,14 +13979,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -15518,20 +14003,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -15546,14 +14029,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -15573,10 +14053,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -15585,14 +14064,15 @@ spec: type: object type: array patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge - patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON - Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string targets: description: Targets defines the target resources to @@ -15608,16 +14088,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST @@ -15640,15 +14118,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -15663,25 +14138,23 @@ spec: to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web - service URL. A typical form is + description: |- + URL is the JSON web service URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string @@ -15701,9 +14174,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials @@ -15715,11 +14188,9 @@ spec: allows insecure access to a registry. type: boolean providers: - description: 'Providers specifies - a list of OCI Registry names, - whose authentication providers - are provided. It can be of one - of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -15733,25 +14204,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a - list of secrets that are provided - for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -15765,15 +14234,14 @@ spec: defined inline. properties: default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary @@ -15793,14 +14261,12 @@ spec: description: Namespace specifies resource namespace. type: string preconditions: - description: 'Preconditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. A direct list - of conditions (without `any` or `all` statements - is supported for backwards compatibility but + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/preconditions/' + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true uid: description: UID specifies the resource uid. @@ -15814,27 +14280,32 @@ spec: maxLength: 63 type: string preconditions: - description: 'Preconditions are used to determine if a policy - rule should be applied by evaluating a set of conditions. - The declaration can contain nested `any` or `all` statements. - A direct list of conditions (without `any` or `all` statements - is supported for backwards compatibility but will be deprecated - in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true skipBackgroundRequests: default: true - description: SkipBackgroundRequests bypasses admission requests - that are sent by the background controller. The default - value is set to "true", it must be set to "false" to apply + description: |- + SkipBackgroundRequests bypasses admission requests that are sent by the background controller. + The default value is set to "true", it must be set to "false" to apply generate and mutateExisting rules to those requests. type: boolean validate: description: Validation is used to validate matching resources. properties: + allowExistingViolations: + default: true + description: AllowExistingViolations allows prexisting + violating resources to continue violating a policy. + type: boolean anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must be satisfied - for the validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true cel: description: CEL allows validation checks using the @@ -15849,41 +14320,45 @@ spec: produce an audit annotation for an API request. properties: key: - description: "key specifies the audit annotation - key. The audit annotation keys of a ValidatingAdmissionPolicy - must be unique. The key must be a qualified - name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more - than 63 bytes in length. \n The key is combined - with the resource name of the ValidatingAdmissionPolicy - to construct an audit annotation key: \"{ValidatingAdmissionPolicy - name}/{key}\". \n If an admission webhook - uses the same resource name as this ValidatingAdmissionPolicy - and the same audit annotation key, the annotation - key will be identical. In this case, the - first annotation written with the key will - be included in the audit event and all subsequent - annotations with the same key will be discarded. - \n Required." + description: |- + key specifies the audit annotation key. The audit annotation keys of + a ValidatingAdmissionPolicy must be unique. The key must be a qualified + name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length. + + + The key is combined with the resource name of the + ValidatingAdmissionPolicy to construct an audit annotation key: + "{ValidatingAdmissionPolicy name}/{key}". + + + If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy + and the same audit annotation key, the annotation key will be identical. + In this case, the first annotation written with the key will be included + in the audit event and all subsequent annotations with the same key + will be discarded. + + + Required. type: string valueExpression: - description: "valueExpression represents the - expression which is evaluated by CEL to - produce an audit annotation value. The expression - must evaluate to either a string or null - value. If the expression evaluates to a - string, the audit annotation is included - with the string value. If the expression - evaluates to null or empty string the audit - annotation will be omitted. The valueExpression - may be no longer than 5kb in length. If - the result of the valueExpression is more - than 10kb in length, it will be truncated - to 10kb. \n If multiple ValidatingAdmissionPolicyBinding - resources match an API request, then the - valueExpression will be evaluated for each - binding. All unique values produced by the - valueExpressions will be joined together - in a comma-separated list. \n Required." + description: |- + valueExpression represents the expression which is evaluated by CEL to + produce an audit annotation value. The expression must evaluate to either + a string or null value. If the expression evaluates to a string, the + audit annotation is included with the string value. If the expression + evaluates to null or empty string the audit annotation will be omitted. + The valueExpression may be no longer than 5kb in length. + If the result of the valueExpression is more than 10kb in length, it + will be truncated to 10kb. + + + If multiple ValidatingAdmissionPolicyBinding resources match an + API request, then the valueExpression will be evaluated for + each binding. All unique values produced by the valueExpressions + will be joined together in a comma-separated list. + + + Required. type: string required: - key @@ -15899,124 +14374,104 @@ spec: properties: expression: description: "Expression represents the expression - which will be evaluated by CEL. ref: https://github.com/google/cel-spec - CEL expressions have access to the contents + which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL + expressions have access to the contents of the API request/response, organized into CEL variables as well as some other useful - variables: \n - 'object' - The object from - the incoming request. The value is null - for DELETE requests. - 'oldObject' - The - existing object. The value is null for CREATE - requests. - 'request' - Attributes of the - API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - - 'params' - Parameter resource referred - to by the policy binding being evaluated. - Only populated if the policy has a ParamKind. - - 'namespaceObject' - The namespace object + variables:\n\n\n- 'object' - The object + from the incoming request. The value is + null for DELETE requests.\n- 'oldObject' + - The existing object. The value is null + for CREATE requests.\n- 'request' - Attributes + of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- + 'params' - Parameter resource referred to + by the policy binding being evaluated. Only + populated if the policy has a ParamKind.\n- + 'namespaceObject' - The namespace object that the incoming object belongs to. The - value is null for cluster-scoped resources. - - 'variables' - Map of composited variables, - from its name to its lazily evaluated value. - For example, a variable named 'foo' can - be accessed as 'variables.foo'. - 'authorizer' + value is null for cluster-scoped resources.\n- + 'variables' - Map of composited variables, + from its name to its lazily evaluated value.\n + \ For example, a variable named 'foo' can + be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user - or service account) of the request. See - https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - - 'authorizer.requestResource' - A CEL ResourceCheck + or service account) of the request.\n See + https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured - with the request resource. \n The `apiVersion`, + with the\n request resource.\n\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` - are always accessible from the root of the - object. No other metadata properties are - accessible. \n Only property names of the - form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are - accessible. Accessible property names are - escaped according to the following rules - when accessed in the expression: - '__' - escapes to '__underscores__' - '.' escapes - to '__dot__' - '-' escapes to '__dash__' - - '/' escapes to '__slash__' - Property - names that exactly match a CEL RESERVED - keyword escape to '__{keyword}__'. The keywords - are: \"true\", \"false\", \"null\", \"in\", - \"as\", \"break\", \"const\", \"continue\", - \"else\", \"for\", \"function\", \"if\", - \"import\", \"let\", \"loop\", \"package\", - \"namespace\", \"return\". Examples: - Expression - accessing a property named \"namespace\": - {\"Expression\": \"object.__namespace__ - > 0\"} - Expression accessing a property + are always accessible from the root of the\nobject. + No other metadata properties are accessible.\n\n\nOnly + property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` + are accessible.\nAccessible property names + are escaped according to the following rules + when accessed in the expression:\n- '__' + escapes to '__underscores__'\n- '.' escapes + to '__dot__'\n- '-' escapes to '__dash__'\n- + '/' escapes to '__slash__'\n- Property names + that exactly match a CEL RESERVED keyword + escape to '__{keyword}__'. The keywords + are:\n\t \"true\", \"false\", \"null\", + \"in\", \"as\", \"break\", \"const\", \"continue\", + \"else\", \"for\", \"function\", \"if\",\n\t + \ \"import\", \"let\", \"loop\", \"package\", + \"namespace\", \"return\".\nExamples:\n + \ - Expression accessing a property named + \"namespace\": {\"Expression\": \"object.__namespace__ + > 0\"}\n - Expression accessing a property named \"x-prop\": {\"Expression\": \"object.x__dash__prop - > 0\"} - Expression accessing a property + > 0\"}\n - Expression accessing a property named \"redact__d\": {\"Expression\": \"object.redact__underscores__d - > 0\"} \n Equality on arrays with list type - of 'set' or 'map' ignores element order, - i.e. [1, 2] == [2, 1]. Concatenation on + > 0\"}\n\n\nEquality on arrays with list + type of 'set' or 'map' ignores element order, + i.e. [1, 2] == [2, 1].\nConcatenation on arrays with x-kubernetes-list-type use the - semantics of the list type: - 'set': `X - + Y` performs a union where the array positions - of all elements in `X` are preserved and - non-intersecting elements in `Y` are appended, - retaining their partial order. - 'map': - `X + Y` performs a merge where the array - positions of all keys in `X` are preserved - but the values are overwritten by values - in `Y` when the key sets of `X` and `Y` - intersect. Elements in `Y` with non-intersecting - keys are appended, retaining their partial - order. Required." + semantics of the list type:\n - 'set': + `X + Y` performs a union where the array + positions of all elements in `X` are preserved + and\n non-intersecting elements in `Y` + are appended, retaining their partial order.\n + \ - 'map': `X + Y` performs a merge where + the array positions of all keys in `X` are + preserved but the values\n are overwritten + by values in `Y` when the key sets of `X` + and `Y` intersect. Elements in `Y` with\n + \ non-intersecting keys are appended, + retaining their partial order.\nRequired." type: string message: - description: 'Message represents the message - displayed when validation fails. The message - is required if the Expression contains line - breaks. The message must not contain line - breaks. If unset, the message is "failed - rule: {Rule}". e.g. "must be a URL with - the host matching spec.host" If the Expression - contains line breaks. Message is required. + description: |- + Message represents the message displayed when validation fails. The message is required if the Expression contains + line breaks. The message must not contain line breaks. + If unset, the message is "failed rule: {Rule}". + e.g. "must be a URL with the host matching spec.host" + If the Expression contains line breaks. Message is required. The message must not contain line breaks. - If unset, the message is "failed Expression: - {Expression}".' + If unset, the message is "failed Expression: {Expression}". type: string messageExpression: - description: 'messageExpression declares a - CEL expression that evaluates to the validation - failure message that is returned when this - rule fails. Since messageExpression is used - as a failure message, it must evaluate to - a string. If both message and messageExpression - are present on a validation, then messageExpression - will be used if validation fails. If messageExpression - results in a runtime error, the runtime - error is logged, and the validation failure - message is produced as if the messageExpression - field were unset. If messageExpression evaluates - to an empty string, a string with only spaces, - or a string that contains line breaks, then - the validation failure message will also - be produced as if the messageExpression - field were unset, and the fact that messageExpression - produced an empty string/string with only - spaces/string with line breaks will be logged. - messageExpression has access to all the - same variables as the `expression` except - for ''authorizer'' and ''authorizer.requestResource''. - Example: "object.x must be less than max - ("+string(params.max)+")"' + description: |- + messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. + Since messageExpression is used as a failure message, it must evaluate to a string. + If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. + If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced + as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string + that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and + the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. + messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'. + Example: + "object.x must be less than max ("+string(params.max)+")" type: string reason: - description: 'Reason represents a machine-readable - description of why this validation failed. - If this is the first validation in the list - to fail, this reason, as well as the corresponding - HTTP response code, are used in the HTTP - response to the client. The currently supported - reasons are: "Unauthorized", "Forbidden", - "Invalid", "RequestEntityTooLarge". If not - set, StatusReasonInvalid is used in the - response to the client.' + description: |- + Reason represents a machine-readable description of why this validation failed. + If this is the first validation in the list to fail, this reason, as well as the + corresponding HTTP response code, are used in the + HTTP response to the client. + The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge". + If not set, StatusReasonInvalid is used in the response to the client. type: string required: - expression @@ -16027,13 +14482,15 @@ spec: and Version. properties: apiVersion: - description: APIVersion is the API group version - the resources belong to. In format of "group/version". + description: |- + APIVersion is the API group version the resources belong to. + In format of "group/version". Required. type: string kind: - description: Kind is the API kind the resources - belong to. Required. + description: |- + Kind is the API kind the resources belong to. + Required. type: string type: object x-kubernetes-map-type: atomic @@ -16041,82 +14498,83 @@ spec: description: ParamRef references a parameter resource. properties: name: - description: "`name` is the name of the resource - being referenced. \n `name` and `selector` - are mutually exclusive properties. If one - is set, the other must be unset." + description: |- + `name` is the name of the resource being referenced. + + + `name` and `selector` are mutually exclusive properties. If one is set, + the other must be unset. type: string namespace: - description: "namespace is the namespace of - the referenced resource. Allows limiting the - search for params to a specific namespace. - Applies to both `name` and `selector` fields. - \n A per-namespace parameter may be used by - specifying a namespace-scoped `paramKind` - in the policy and leaving this field empty. - \n - If `paramKind` is cluster-scoped, this - field MUST be unset. Setting this field results - in a configuration error. \n - If `paramKind` - is namespace-scoped, the namespace of the - object being evaluated for admission will - be used when this field is left unset. Take - care that if this is left empty the binding - must not match any cluster-scoped resources, - which will result in an error." + description: |- + namespace is the namespace of the referenced resource. Allows limiting + the search for params to a specific namespace. Applies to both `name` and + `selector` fields. + + + A per-namespace parameter may be used by specifying a namespace-scoped + `paramKind` in the policy and leaving this field empty. + + + - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this + field results in a configuration error. + + + - If `paramKind` is namespace-scoped, the namespace of the object being + evaluated for admission will be used when this field is left unset. Take + care that if this is left empty the binding must not match any cluster-scoped + resources, which will result in an error. type: string parameterNotFoundAction: - description: "`parameterNotFoundAction` controls - the behavior of the binding when the resource - exists, and name or selector is valid, but - there are no parameters matched by the binding. - If the value is set to `Allow`, then no matched - parameters will be treated as successful validation - by the binding. If set to `Deny`, then no - matched parameters will be subject to the - `failurePolicy` of the policy. \n Allowed - values are `Allow` or `Deny` Default to `Deny`" + description: |- + `parameterNotFoundAction` controls the behavior of the binding when the resource + exists, and name or selector is valid, but there are no parameters + matched by the binding. If the value is set to `Allow`, then no + matched parameters will be treated as successful validation by the binding. + If set to `Deny`, then no matched parameters will be subject to the + `failurePolicy` of the policy. + + + Allowed values are `Allow` or `Deny` + Default to `Deny` type: string selector: - description: "selector can be used to match - multiple param objects based on their labels. - Supply selector: {} to match all resources - of the ParamKind. \n If multiple params are - found, they are all evaluated with the policy - expressions and the results are ANDed together. - \n One of `name` or `selector` must be set, - but `name` and `selector` are mutually exclusive - properties. If one is set, the other must - be unset." + description: |- + selector can be used to match multiple param objects based on their labels. + Supply selector: {} to match all resources of the ParamKind. + + + If multiple params are found, they are all evaluated with the policy expressions + and the results are ANDed together. + + + One of `name` or `selector` must be set, but `name` and `selector` are + mutually exclusive properties. If one is set, the other must be unset. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -16128,41 +14586,34 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object x-kubernetes-map-type: atomic variables: - description: Variables contain definitions of variables - that can be used in composition of other expressions. + description: |- + Variables contain definitions of variables that can be used in composition of other expressions. Each variable is defined as a named CEL expression. - The variables defined here will be available under - `variables` in other expressions of the policy. + The variables defined here will be available under `variables` in other expressions of the policy. items: description: Variable is the definition of a variable that is used for composition. properties: expression: - description: Expression is the expression - that will be evaluated as the value of the - variable. The CEL expression has access - to the same identifiers as the CEL expressions - in Validation. + description: |- + Expression is the expression that will be evaluated as the value of the variable. + The CEL expression has access to the same identifiers as the CEL expressions in Validation. type: string name: - description: Name is the name of the variable. - The name must be a valid CEL identifier - and unique among all variables. The variable - can be accessed in other expressions through - `variables` For example, if name is "foo", - the variable will be available as `variables.foo` + description: |- + Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables. + The variable can be accessed in other expressions through `variables` + For example, if name is "foo", the variable will be available as `variables.foo` type: string required: - expression @@ -16175,12 +14626,11 @@ spec: fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct list - of conditions (without `any` or `all` statements) - is also supported for backwards compatibility + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object foreach: @@ -16195,24 +14645,22 @@ spec: apply the specified logic. properties: anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must - be satisfied for the validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true context: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST @@ -16235,15 +14683,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -16258,25 +14703,23 @@ spec: to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web - service URL. A typical form is + description: |- + URL is the JSON web service URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string @@ -16296,9 +14739,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials @@ -16310,11 +14753,9 @@ spec: allows insecure access to a registry. type: boolean providers: - description: 'Providers specifies - a list of OCI Registry names, - whose authentication providers - are provided. It can be of one - of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -16328,25 +14769,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a - list of secrets that are provided - for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -16360,15 +14799,14 @@ spec: defined inline. properties: default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary @@ -16383,48 +14821,44 @@ spec: or fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct - list of conditions (without `any` or `all` - statements) is also supported for backwards - compatibility but will be deprecated in - the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object elementScope: - description: ElementScope specifies whether to - use the current list element as the scope for - validation. Defaults to "true" if not specified. - When set to "false", "request.object" is used - as the validation scope within the foreach block - to allow referencing other elements in the subtree. + description: |- + ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified. + When set to "false", "request.object" is used as the validation scope within the foreach + block to allow referencing other elements in the subtree. type: boolean foreach: description: Foreach declares a nested foreach iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which - the validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string pattern: description: Pattern specifies an overlay-style pattern used to check resources. x-kubernetes-preserve-unknown-fields: true preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -16439,14 +14873,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -16466,20 +14897,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -16494,14 +14923,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -16521,10 +14947,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -16547,31 +14972,25 @@ spec: items: properties: count: - description: Count specifies the required - number of entries that must match. If the - count is null, all entries must match (a - logical AND). If the count is 1, at least - one entry must match (a logical OR). If - the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or - a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set @@ -16592,21 +15011,14 @@ spec: used to verify. type: string ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -16614,36 +15026,25 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -16654,9 +15055,9 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless - attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: additionalProperties: @@ -16666,21 +15067,14 @@ spec: for keyless signing. type: object ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -16688,15 +15082,10 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -16704,24 +15093,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -16731,10 +15114,9 @@ spec: type: string type: object roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, - the system roots are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -16747,21 +15129,14 @@ spec: public keys. properties: ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -16769,63 +15144,41 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI - to the public key stored in a - Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable - reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -16861,12 +15214,9 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository - will override other OCI image repository - locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -16907,10 +15257,9 @@ spec: type: object type: array repository: - description: Repository is an optional alternate - OCI repository to use for resource bundle reference. - The repository can be overridden per Attestor - or Attestation. + description: |- + Repository is an optional alternate OCI repository to use for resource bundle reference. + The repository can be overridden per Attestor or Attestation. type: string type: object message: @@ -16922,9 +15271,9 @@ spec: used to check resources. x-kubernetes-preserve-unknown-fields: true podSecurity: - description: PodSecurity applies exemptions for Kubernetes - Pod Security admission by specifying exclusions for - Pod Security Standards controls. + description: |- + PodSecurity applies exemptions for Kubernetes Pod Security admission + by specifying exclusions for Pod Security Standards controls. properties: exclude: description: Exclude specifies the Pod Security @@ -16934,9 +15283,9 @@ spec: Pod Security Standard controls to be excluded. properties: controlName: - description: 'ControlName specifies the name - of the Pod Security Standard control. See: - https://kubernetes.io/docs/concepts/security/pod-security-standards/' + description: |- + ControlName specifies the name of the Pod Security Standard control. + See: https://kubernetes.io/docs/concepts/security/pod-security-standards/ enum: - HostProcess - Host Namespaces @@ -16955,14 +15304,11 @@ spec: - Running as Non-root user type: string images: - description: 'Images selects matching containers - and applies the container level PSS. Each - image is the image name consisting of the - registry address, repository, image, and - tag. Empty list matches no containers, PSS - checks are applied at the pod level only. - Wildcards (''*'' and ''?'') are allowed. - See: https://kubernetes.io/docs/concepts/containers/images.' + description: |- + Images selects matching containers and applies the container level PSS. + Each image is the image name consisting of the registry address, repository, image, and tag. + Empty list matches no containers, PSS checks are applied at the pod level only. + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -16971,19 +15317,18 @@ spec: type: object type: array level: - description: Level defines the Pod Security Standard - level to be applied to workloads. Allowed values - are privileged, baseline, and restricted. + description: |- + Level defines the Pod Security Standard level to be applied to workloads. + Allowed values are privileged, baseline, and restricted. enum: - privileged - baseline - restricted type: string version: - description: Version defines the Pod Security Standard - versions that Kubernetes supports. Allowed values - are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, - v1.25, v1.26, latest. Defaults to latest. + description: |- + Version defines the Pod Security Standard versions that Kubernetes supports. + Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, latest. Defaults to latest. enum: - v1.19 - v1.20 @@ -17001,10 +15346,10 @@ spec: description: VerifyImages is used to verify image signatures and mutate them to add a digest items: - description: ImageVerification validates that images that - match the specified pattern are signed with the supplied - public key. Once the image is verified it is mutated - to include the SHA digest retrieved during the registration. + description: |- + ImageVerification validates that images that match the specified pattern + are signed with the supplied public key. Once the image is verified it is + mutated to include the SHA digest retrieved during the registration. properties: additionalExtensions: additionalProperties: @@ -17018,17 +15363,15 @@ spec: instead. type: object attestations: - description: Attestations are optional checks for - signed in-toto Statements used to verify the image. - See https://github.com/in-toto/attestation. Kyverno - fetches signed attestations from the OCI registry - and decodes them into a list of Statement declarations. + description: |- + Attestations are optional checks for signed in-toto Statements used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statement declarations. items: - description: Attestation are checks for signed in-toto - Statements that are used to verify the image. - See https://github.com/in-toto/attestation. Kyverno - fetches signed attestations from the OCI registry - and decodes them into a list of Statements. + description: |- + Attestation are checks for signed in-toto Statements that are used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statements. properties: attestors: description: Attestors specify the required @@ -17036,33 +15379,25 @@ spec: items: properties: count: - description: Count specifies the required - number of entries that must match. If - the count is null, all entries must - match (a logical AND). If the count - is 1, at least one entry must match - (a logical OR). If the count contains - a value N, then N must be less than - or equal to the size of entries, and - at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static - key, attributes for keyless verification, - or a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used - for image verification. Every - specified key-value pair must - exist and match in the verified - payload. The payload may contain - other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested @@ -17083,23 +15418,14 @@ spec: certificates used to verify. type: string ctlog: - description: CTLog (certificate - timestamp log) provides a - configuration for validation - of Signed Certificate Timestamps - (SCTs). If the value is unset, - the default behavior by Cosign - is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp - (SCT) log to check for - a certificate timestamp. - Default is false. Set - to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if @@ -17108,27 +15434,16 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, - if set, is the PEM-encoded - certificate chain file - for the RFC3161 timestamp - authority. Must contain - the root CA certificate. - Optionally may contain - intermediate CA certificates, - and may contain the leaf - TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If an empty object is provided - the public instance of Rekor - (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog @@ -17136,13 +15451,9 @@ spec: verification. type: boolean pubkey: - description: RekorPubKey - is an optional PEM-encoded - public key to use for - a custom Rekor. If set, - this will be used to validate - transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the @@ -17153,9 +15464,9 @@ spec: type: object type: object keyless: - description: Keyless is a set of - attribute used to verify a Sigstore - keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: additionalProperties: @@ -17165,23 +15476,14 @@ spec: used for keyless signing. type: object ctlog: - description: CTLog (certificate - timestamp log) provides a - configuration for validation - of Signed Certificate Timestamps - (SCTs). If the value is unset, - the default behavior by Cosign - is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp - (SCT) log to check for - a certificate timestamp. - Default is false. Set - to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if @@ -17190,17 +15492,10 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, - if set, is the PEM-encoded - certificate chain file - for the RFC3161 timestamp - authority. Must contain - the root CA certificate. - Optionally may contain - intermediate CA certificates, - and may contain the leaf - TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -17208,13 +15503,9 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If an empty object is provided - the public instance of Rekor - (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog @@ -17222,13 +15513,9 @@ spec: verification. type: boolean pubkey: - description: RekorPubKey - is an optional PEM-encoded - public key to use for - a custom Rekor. If set, - this will be used to validate - transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the @@ -17238,11 +15525,9 @@ spec: type: string type: object roots: - description: Roots is an optional - set of PEM encoded trusted - root certificates. If not - provided, the system roots - are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the @@ -17256,23 +15541,14 @@ spec: or more public keys. properties: ctlog: - description: CTLog (certificate - timestamp log) provides a - configuration for validation - of Signed Certificate Timestamps - (SCTs). If the value is unset, - the default behavior by Cosign - is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp - (SCT) log to check for - a certificate timestamp. - Default is false. Set - to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if @@ -17281,56 +15557,32 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, - if set, is the PEM-encoded - certificate chain file - for the RFC3161 timestamp - authority. Must contain - the root CA certificate. - Optionally may contain - intermediate CA certificates, - and may contain the leaf - TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the - URI to the public key stored - in a Key Management System. - See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of - X.509 public keys used to - verify image signatures. The - keys can be directly specified - or can be a variable reference - to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a - separate staticKey entry (.attestors[*].entries.keys) - within the set of attestors - and the count is applied across - the keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If an empty object is provided - the public instance of Rekor - (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog @@ -17338,13 +15590,9 @@ spec: verification. type: boolean pubkey: - description: RekorPubKey - is an optional PEM-encoded - public key to use for - a custom Rekor. If set, - this will be used to validate - transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the @@ -17381,40 +15629,30 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use - for signatures and attestations - that match this rule. If specified - Repository will override other - OCI image repository locations - for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array type: object type: array conditions: - description: Conditions are used to verify attributes - within a Predicate. If no Conditions are specified - the attestation check is satisfied as long - there are predicates that match the predicate - type. + description: |- + Conditions are used to verify attributes within a Predicate. If no Conditions are specified + the attestation check is satisfied as long there are predicates that match the predicate type. items: - description: AnyAllConditions consists of - conditions wrapped denoting a logical criteria - to be fulfilled. AnyConditions get fulfilled - when at least one of its sub-conditions - passes. AllConditions get fulfilled only - when all of its sub-conditions pass. + description: |- + AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled. + AnyConditions get fulfilled when at least one of its sub-conditions passes. + AllConditions get fulfilled only when all of its sub-conditions pass. properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is - useful for finer control of when an - rule is applied. A condition can reference - object data using JMESPath notation. - Here, all of the conditions need to - pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -17429,14 +15667,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -17456,21 +15691,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is - useful for finer control of when an - rule is applied. A condition can reference - object data using JMESPath notation. - Here, at least one of the conditions - need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -17485,14 +15717,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -17512,10 +15741,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -17537,31 +15765,25 @@ spec: items: properties: count: - description: Count specifies the required number - of entries that must match. If the count is - null, all entries must match (a logical AND). - If the count is 1, at least one entry must - match (a logical OR). If the count contains - a value N, then N must be less than or equal - to the size of entries, and at least N entries - must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or a - nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set @@ -17582,21 +15804,14 @@ spec: used to verify. type: string ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior by - Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed Certificate - Timestamp (SCT) log to check - for a certificate timestamp. - Default is false. Set to true - if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -17604,35 +15819,25 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the - root CA certificate. Optionally - may contain intermediate CA - certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an - optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used to - validate transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -17643,8 +15848,8 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: @@ -17655,21 +15860,14 @@ spec: for keyless signing. type: object ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior by - Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed Certificate - Timestamp (SCT) log to check - for a certificate timestamp. - Default is false. Set to true - if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -17677,15 +15875,10 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the - root CA certificate. Optionally - may contain intermediate CA - certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -17693,23 +15886,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an - optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used to - validate transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -17719,10 +15907,9 @@ spec: type: string type: object roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, the - system roots are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -17735,21 +15922,14 @@ spec: public keys. properties: ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior by - Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed Certificate - Timestamp (SCT) log to check - for a certificate timestamp. - Default is false. Set to true - if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -17757,61 +15937,41 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the - root CA certificate. Optionally - may contain intermediate CA - certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI - to the public key stored in a Key - Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable reference - to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format "k8s:///". - The named Secret must specify a - key `cosign.pub` containing the - public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an - optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used to - validate transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -17846,12 +16006,9 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository will - override other OCI image repository - locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -17861,13 +16018,11 @@ spec: description: Deprecated. Use ImageReferences instead. type: string imageReferences: - description: 'ImageReferences is a list of matching - image reference patterns. At least one pattern in - the list must match the image for the rule to apply. - Each image reference consists of a registry address - (defaults to docker.io), repository, image, and - tag (defaults to latest). Wildcards (''*'' and ''?'') - are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' + description: |- + ImageReferences is a list of matching image reference patterns. At least one pattern in the + list must match the image for the rule to apply. Each image reference consists of a registry + address (defaults to docker.io), repository, image, and tag (defaults to latest). + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -17880,10 +16035,9 @@ spec: access to a registry. type: boolean providers: - description: 'Providers specifies a list of OCI - Registry names, whose authentication providers - are provided. It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers @@ -17897,9 +16051,9 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets - that are provided for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array @@ -17912,16 +16066,15 @@ spec: type: string mutateDigest: default: true - description: MutateDigest enables replacement of image - tags with digests. Defaults to true. + description: |- + MutateDigest enables replacement of image tags with digests. + Defaults to true. type: boolean repository: - description: Repository is an optional alternate OCI - repository to use for image signatures and attestations - that match this rule. If specified Repository will - override the default OCI image repository configured - for the installation. The repository can also be - overridden per Attestor or Attestation. + description: |- + Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule. + If specified Repository will override the default OCI image repository configured for the installation. + The repository can also be overridden per Attestor or Attestation. type: string required: default: true @@ -17936,9 +16089,9 @@ spec: description: Deprecated. Use KeylessAttestor instead. type: string type: - description: Type specifies the method of signature - validation. The allowed options are Cosign and Notary. - By default Cosign is used if a type is not specified. + description: |- + Type specifies the method of signature validation. The allowed options + are Cosign and Notary. By default Cosign is used if a type is not specified. enum: - Cosign - Notary @@ -17963,42 +16116,42 @@ spec: conditions: items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -18012,11 +16165,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -18032,8 +16186,9 @@ spec: description: Deprecated in favor of Conditions type: boolean rulecount: - description: RuleCountStatus contains four variables which describes - counts for validate, generate, mutate and verify images rules + description: |- + RuleCountStatus contains four variables which describes counts for + validate, generate, mutate and verify images rules properties: generate: description: Count for generate rules in policy @@ -18061,10 +16216,9 @@ spec: policy is generated from the policy or not type: boolean message: - description: Message is a human readable message indicating details - about the generation of validating admission policy It is an - empty string when validating admission policy is successfully - generated. + description: |- + Message is a human readable message indicating details about the generation of validating admission policy + It is an empty string when validating admission policy is successfully generated. type: string required: - generated diff --git a/config/crds/kyverno.io_policies.yaml b/config/crds/kyverno.io_policies.yaml index ff6f69fa9327..88054fa5a2a4 100644 --- a/config/crds/kyverno.io_policies.yaml +++ b/config/crds/kyverno.io_policies.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: policies.kyverno.io spec: group: kyverno.io @@ -60,19 +60,24 @@ spec: name: v1 schema: openAPIV3Schema: - description: 'Policy declares validation, mutation, and generation behaviors - for matching resources. See: https://kyverno.io/docs/writing-policies/ for - more information.' + description: |- + Policy declares validation, mutation, and generation behaviors for matching resources. + See: https://kyverno.io/docs/writing-policies/ for more information. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -81,95 +86,99 @@ spec: properties: admission: default: true - description: Admission controls if rules are applied during admission. + description: |- + Admission controls if rules are applied during admission. Optional. Default value is "true". type: boolean applyRules: - description: ApplyRules controls how rules in a policy are applied. - Rule are processed in the order of declaration. When set to `One` - processing stops after a rule has been applied i.e. the rule matches - and results in a pass, fail, or error. When set to `All` all rules - in the policy are processed. The default is `All`. + description: |- + ApplyRules controls how rules in a policy are applied. Rule are processed in + the order of declaration. When set to `One` processing stops after a rule has + been applied i.e. the rule matches and results in a pass, fail, or error. When + set to `All` all rules in the policy are processed. The default is `All`. enum: - All - One type: string background: default: true - description: Background controls if rules are applied to existing - resources during a background scan. Optional. Default value is "true". - The value must be set to "false" if the policy rule uses variables - that are only available in the admission review request (e.g. user - name). + description: |- + Background controls if rules are applied to existing resources during a background scan. + Optional. Default value is "true". The value must be set to "false" if the policy rule + uses variables that are only available in the admission review request (e.g. user name). type: boolean failurePolicy: - description: FailurePolicy defines how unexpected policy errors and - webhook response timeout errors are handled. Rules within the same - policy share the same failure behavior. This field should not be - accessed directly, instead `GetFailurePolicy()` should be used. + description: |- + FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. + Rules within the same policy share the same failure behavior. + This field should not be accessed directly, instead `GetFailurePolicy()` should be used. Allowed values are Ignore or Fail. Defaults to Fail. enum: - Ignore - Fail type: string generateExisting: - description: GenerateExisting controls whether to trigger generate - rule in existing resources If is set to "true" generate rule will - be triggered and applied to existing matched resources. Defaults - to "false" if not specified. + description: |- + GenerateExisting controls whether to trigger generate rule in existing resources + If is set to "true" generate rule will be triggered and applied to existing matched resources. + Defaults to "false" if not specified. type: boolean generateExistingOnPolicyUpdate: description: Deprecated, use generateExisting instead type: boolean mutateExistingOnPolicyUpdate: - description: MutateExistingOnPolicyUpdate controls if a mutateExisting - policy is applied on policy events. Default value is "false". + description: |- + MutateExistingOnPolicyUpdate controls if a mutateExisting policy is applied on policy events. + Default value is "false". type: boolean rules: - description: Rules is a list of Rule instances. A Policy contains - multiple rules and each rule can validate, mutate, or generate resources. + description: |- + Rules is a list of Rule instances. A Policy contains multiple rules and + each rule can validate, mutate, or generate resources. items: - description: Rule defines a validation, mutation, or generation - control for matching resources. Each rules contains a match declaration - to select resources, and an optional exclude declaration to specify - which resources to exclude. + description: |- + Rule defines a validation, mutation, or generation control for matching resources. + Each rules contains a match declaration to select resources, and an optional exclude + declaration to specify which resources to exclude. properties: celPreconditions: - description: CELPreconditions are used to determine if a policy - rule should be applied by evaluating a set of CEL conditions. - It can only be used with the validate.cel subrule + description: |- + CELPreconditions are used to determine if a policy rule should be applied by evaluating a + set of CEL conditions. It can only be used with the validate.cel subrule items: description: MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook. properties: expression: - description: "Expression represents the expression which - will be evaluated by CEL. Must evaluate to bool. CEL - expressions have access to the contents of the AdmissionRequest - and Authorizer, organized into CEL variables: \n 'object' - - The object from the incoming request. The value is - null for DELETE requests. 'oldObject' - The existing - object. The value is null for CREATE requests. 'request' - - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). - 'authorizer' - A CEL Authorizer. May be used to perform - authorization checks for the principal (user or service - account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - 'authorizer.requestResource' - A CEL ResourceCheck constructed - from the 'authorizer' and configured with the request - resource. Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ - \n Required." + description: |- + Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. + CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: + + + 'object' - The object from the incoming request. The value is null for DELETE requests. + 'oldObject' - The existing object. The value is null for CREATE requests. + 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. + See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the + request resource. + Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ + + + Required. type: string name: - description: "Name is an identifier for this match condition, - used for strategic merging of MatchConditions, as well - as providing an identifier for logging purposes. A good - name should be descriptive of the associated expression. - Name must be a qualified name consisting of alphanumeric - characters, '-', '_' or '.', and must start and end - with an alphanumeric character (e.g. 'MyName', or 'my.name', - \ or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') - with an optional DNS subdomain prefix and '/' (e.g. - 'example.com/MyName') \n Required." + description: |- + Name is an identifier for this match condition, used for strategic merging of MatchConditions, + as well as providing an identifier for logging purposes. A good name should be descriptive of + the associated expression. + Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and + must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or + '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an + optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') + + + Required. type: string required: - expression @@ -180,15 +189,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data sources - to a rule Context. Either a ConfigMap reference or a APILookup - must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the Kubernetes - API server, or other JSON web service. The data returned - is stored in the context with the name for the context - entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data sent to @@ -210,13 +218,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the JSON response - returned from the server. For example a JMESPath - of "items | length(@)" applied to the API server - response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across - all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -231,22 +238,24 @@ spec: service properties: caBundle: - description: CABundle is a PEM encoded CA bundle - which will be used to validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web service URL. - A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to be used in - the HTTP GET or POST request to the Kubernetes API - server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used by the - `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -263,8 +272,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests to an OCI/Docker - V2 registry to fetch image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials provides credentials @@ -275,10 +285,9 @@ spec: access to a registry. type: boolean providers: - description: 'Providers specifies a list of OCI - Registry names, whose authentication providers - are provided. It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers @@ -292,21 +301,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets - that are provided for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the ImageData struct - returned as a result of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference to a container - image in the registry. Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -319,13 +330,14 @@ spec: variable that can be defined inline. properties: default: - description: Default is an optional arbitrary JSON - object that the variable may take if the JMESPath + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath Expression - that can be used to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON object representable @@ -335,10 +347,10 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when this policy rule - should not be applied. The exclude criteria can include resource - information (e.g. kind, name, namespace, labels) and admission - review request information like the name or role. + description: |- + ExcludeResources defines when this policy rule should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. properties: all: description: All allows specifying resources which will @@ -360,11 +372,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -372,58 +383,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -436,20 +438,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -469,42 +468,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -517,12 +509,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -537,32 +527,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -593,11 +578,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -605,58 +589,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -669,20 +644,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -702,42 +674,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -750,12 +715,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -770,32 +733,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -813,20 +771,19 @@ spec: type: string type: array resources: - description: ResourceDescription contains information about - the resource being created or modified. Requires at least - one tag to be specified when under MatchResources. Specifying - ResourceDescription directly under match is being deprecated. + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. Please specify under "any" or "all" instead. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -834,52 +791,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -891,19 +845,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -923,38 +875,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -966,12 +915,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -986,32 +933,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -1027,10 +970,10 @@ spec: description: APIVersion specifies resource apiVersion. type: string clone: - description: Clone specifies the source resource used to - populate each generated resource. At most one of Data - or Clone can be specified. If neither are provided, the - generated resource will be created with default data only. + description: |- + Clone specifies the source resource used to populate each generated resource. + At most one of Data or Clone can be specified. If neither are provided, the generated + resource will be created with default data only. properties: name: description: Name specifies name of the resource. @@ -1052,34 +995,33 @@ spec: description: Namespace specifies source resource namespace. type: string selector: - description: Selector is a label selector. Label keys - and values in `matchLabels`. wildcard characters are - not supported. + description: |- + Selector is a label selector. Label keys and values in `matchLabels`. + wildcard characters are not supported. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1091,21 +1033,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object data: - description: Data provides the resource declaration used - to populate each generated resource. At most one of Data - or Clone must be specified. If neither are provided, the - generated resource will be created with default data only. + description: |- + Data provides the resource declaration used to populate each generated resource. + At most one of Data or Clone must be specified. If neither are provided, the generated + resource will be created with default data only. x-kubernetes-preserve-unknown-fields: true kind: description: Kind specifies resource kind. @@ -1117,12 +1057,11 @@ spec: description: Namespace specifies resource namespace. type: string synchronize: - description: Synchronize controls if generated resources - should be kept in-sync with their source resource. If - Synchronize is set to "true" changes to generated resources - will be overwritten with resource data from Data or the - resource specified in the Clone declaration. Optional. - Defaults to "false" if not specified. + description: |- + Synchronize controls if generated resources should be kept in-sync with their source resource. + If Synchronize is set to "true" changes to generated resources will be overwritten with resource + data from Data or the resource specified in the Clone declaration. + Optional. Defaults to "false" if not specified. type: boolean uid: description: UID specifies the resource uid. @@ -1133,50 +1072,47 @@ spec: items: properties: jmesPath: - description: 'JMESPath is an optional JMESPath expression - to apply to the image value. This is useful when the - extracted image begins with a prefix like ''docker://''. - The ''trim_prefix'' function may be used to trim the - prefix: trim_prefix(@, ''docker://''). Note - Image - digest mutation may not be used when applying a JMESPAth - to an image.' + description: |- + JMESPath is an optional JMESPath expression to apply to the image value. + This is useful when the extracted image begins with a prefix like 'docker://'. + The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://'). + Note - Image digest mutation may not be used when applying a JMESPAth to an image. type: string key: - description: Key is an optional name of the field within - 'path' that will be used to uniquely identify an image. + description: |- + Key is an optional name of the field within 'path' that will be used to uniquely identify an image. Note - this field MUST be unique. type: string name: - description: Name is the entry the image will be available - under 'images.' in the context. If this field - is not defined, image entries will appear under 'images.custom'. + description: |- + Name is the entry the image will be available under 'images.' in the context. + If this field is not defined, image entries will appear under 'images.custom'. type: string path: - description: Path is the path to the object containing - the image field in a custom resource. It should be - slash-separated. Each slash-separated key must be - a valid YAML key or a wildcard '*'. Wildcard keys - are expanded in case of arrays or objects. + description: |- + Path is the path to the object containing the image field in a custom resource. + It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'. + Wildcard keys are expanded in case of arrays or objects. type: string value: - description: Value is an optional name of the field - within 'path' that points to the image URI. This is - useful when a custom 'key' is also defined. + description: |- + Value is an optional name of the field within 'path' that points to the image URI. + This is useful when a custom 'key' is also defined. type: string required: - path type: object type: array - description: ImageExtractors defines a mapping from kinds to - ImageExtractorConfigs. This config is only valid for verifyImages - rules. + description: |- + ImageExtractors defines a mapping from kinds to ImageExtractorConfigs. + This config is only valid for verifyImages rules. type: object match: - description: MatchResources defines when this policy rule should - be applied. The match criteria can include resource information - (e.g. kind, name, namespace, labels) and admission review - request information like the user name or role. At least one - kind is required. + description: |- + MatchResources defines when this policy rule should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. + At least one kind is required. properties: all: description: All allows specifying resources which will @@ -1198,11 +1134,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -1210,58 +1145,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -1274,20 +1200,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -1307,42 +1230,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -1355,12 +1271,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -1375,32 +1289,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -1431,11 +1340,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -1443,58 +1351,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -1507,20 +1406,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -1540,42 +1436,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -1588,12 +1477,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -1608,32 +1495,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -1651,20 +1533,19 @@ spec: type: string type: array resources: - description: ResourceDescription contains information about - the resource being created or modified. Requires at least - one tag to be specified when under MatchResources. Specifying - ResourceDescription directly under match is being deprecated. + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. Please specify under "any" or "all" instead. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -1672,52 +1553,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1729,19 +1607,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -1761,38 +1637,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1804,12 +1677,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -1824,32 +1695,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -1875,15 +1742,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data @@ -1905,14 +1771,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -1927,25 +1791,24 @@ spec: JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate the server certificate. type: string url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -1963,8 +1826,8 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. properties: imageRegistryCredentials: @@ -1977,11 +1840,9 @@ spec: insecure access to a registry. type: boolean providers: - description: 'Providers specifies a - list of OCI Registry names, whose - authentication providers are provided. - It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -1995,23 +1856,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list - of secrets that are provided for credentials. + description: |- + Secrets specifies a list of secrets that are provided for credentials. Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -2024,15 +1885,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON @@ -2045,42 +1905,41 @@ spec: description: Foreach declares a nested foreach iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which the - validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string order: - description: Order defines the iteration order on - the list. Can be Ascending to iterate from first - to last element or Descending to iterate in from - last to first element. + description: |- + Order defines the iteration order on the list. + Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element. enum: - Ascending - Descending type: string patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge - patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 - JSON Patch declarations used to modify resources. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, all of the conditions need to - pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -2094,13 +1953,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -2120,20 +1977,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, at least one of the conditions - need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -2147,13 +2002,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -2173,10 +2026,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -2185,14 +2037,15 @@ spec: type: object type: array patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge patch - used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON - Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string targets: description: Targets defines the target resources to be @@ -2208,15 +2061,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data @@ -2238,14 +2090,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -2260,25 +2110,24 @@ spec: JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate the server certificate. type: string url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -2296,8 +2145,8 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. properties: imageRegistryCredentials: @@ -2310,11 +2159,9 @@ spec: insecure access to a registry. type: boolean providers: - description: 'Providers specifies a - list of OCI Registry names, whose - authentication providers are provided. - It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -2328,23 +2175,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list - of secrets that are provided for credentials. + description: |- + Secrets specifies a list of secrets that are provided for credentials. Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -2357,15 +2204,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON @@ -2384,13 +2230,12 @@ spec: description: Namespace specifies resource namespace. type: string preconditions: - description: 'Preconditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. A direct list - of conditions (without `any` or `all` statements - is supported for backwards compatibility but will - be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true uid: description: UID specifies the resource uid. @@ -2404,27 +2249,32 @@ spec: maxLength: 63 type: string preconditions: - description: 'Preconditions are used to determine if a policy - rule should be applied by evaluating a set of conditions. - The declaration can contain nested `any` or `all` statements. - A direct list of conditions (without `any` or `all` statements - is supported for backwards compatibility but will be deprecated - in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true skipBackgroundRequests: default: true - description: SkipBackgroundRequests bypasses admission requests - that are sent by the background controller. The default value - is set to "true", it must be set to "false" to apply generate - and mutateExisting rules to those requests. + description: |- + SkipBackgroundRequests bypasses admission requests that are sent by the background controller. + The default value is set to "true", it must be set to "false" to apply + generate and mutateExisting rules to those requests. type: boolean validate: description: Validation is used to validate matching resources. properties: + allowExistingViolations: + default: true + description: AllowExistingViolations allows prexisting violating + resources to continue violating a policy. + type: boolean anyPattern: - description: AnyPattern specifies list of validation patterns. - At least one of the patterns must be satisfied for the - validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true cel: description: CEL allows validation checks using the Common @@ -2439,39 +2289,45 @@ spec: an audit annotation for an API request. properties: key: - description: "key specifies the audit annotation - key. The audit annotation keys of a ValidatingAdmissionPolicy - must be unique. The key must be a qualified - name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than - 63 bytes in length. \n The key is combined with - the resource name of the ValidatingAdmissionPolicy - to construct an audit annotation key: \"{ValidatingAdmissionPolicy - name}/{key}\". \n If an admission webhook uses - the same resource name as this ValidatingAdmissionPolicy - and the same audit annotation key, the annotation - key will be identical. In this case, the first - annotation written with the key will be included - in the audit event and all subsequent annotations - with the same key will be discarded. \n Required." + description: |- + key specifies the audit annotation key. The audit annotation keys of + a ValidatingAdmissionPolicy must be unique. The key must be a qualified + name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length. + + + The key is combined with the resource name of the + ValidatingAdmissionPolicy to construct an audit annotation key: + "{ValidatingAdmissionPolicy name}/{key}". + + + If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy + and the same audit annotation key, the annotation key will be identical. + In this case, the first annotation written with the key will be included + in the audit event and all subsequent annotations with the same key + will be discarded. + + + Required. type: string valueExpression: - description: "valueExpression represents the expression - which is evaluated by CEL to produce an audit - annotation value. The expression must evaluate - to either a string or null value. If the expression - evaluates to a string, the audit annotation - is included with the string value. If the expression - evaluates to null or empty string the audit - annotation will be omitted. The valueExpression - may be no longer than 5kb in length. If the - result of the valueExpression is more than 10kb - in length, it will be truncated to 10kb. \n - If multiple ValidatingAdmissionPolicyBinding - resources match an API request, then the valueExpression - will be evaluated for each binding. All unique - values produced by the valueExpressions will - be joined together in a comma-separated list. - \n Required." + description: |- + valueExpression represents the expression which is evaluated by CEL to + produce an audit annotation value. The expression must evaluate to either + a string or null value. If the expression evaluates to a string, the + audit annotation is included with the string value. If the expression + evaluates to null or empty string the audit annotation will be omitted. + The valueExpression may be no longer than 5kb in length. + If the result of the valueExpression is more than 10kb in length, it + will be truncated to 10kb. + + + If multiple ValidatingAdmissionPolicyBinding resources match an + API request, then the valueExpression will be evaluated for + each binding. All unique values produced by the valueExpressions + will be joined together in a comma-separated list. + + + Required. type: string required: - key @@ -2487,113 +2343,99 @@ spec: properties: expression: description: "Expression represents the expression - which will be evaluated by CEL. ref: https://github.com/google/cel-spec - CEL expressions have access to the contents - of the API request/response, organized into - CEL variables as well as some other useful variables: - \n - 'object' - The object from the incoming - request. The value is null for DELETE requests. - - 'oldObject' - The existing object. The value - is null for CREATE requests. - 'request' - Attributes - of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - - 'params' - Parameter resource referred to - by the policy binding being evaluated. Only - populated if the policy has a ParamKind. - 'namespaceObject' + which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL + expressions have access to the contents of the + API request/response, organized into CEL variables + as well as some other useful variables:\n\n\n- + 'object' - The object from the incoming request. + The value is null for DELETE requests.\n- 'oldObject' + - The existing object. The value is null for + CREATE requests.\n- 'request' - Attributes of + the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- + 'params' - Parameter resource referred to by + the policy binding being evaluated. Only populated + if the policy has a ParamKind.\n- 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped - resources. - 'variables' - Map of composited + resources.\n- 'variables' - Map of composited variables, from its name to its lazily evaluated - value. For example, a variable named 'foo' can - be accessed as 'variables.foo'. - 'authorizer' + value.\n For example, a variable named 'foo' + can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) - of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - - 'authorizer.requestResource' - A CEL ResourceCheck + of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured - with the request resource. \n The `apiVersion`, + with the\n request resource.\n\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` - are always accessible from the root of the object. - No other metadata properties are accessible. - \n Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` - are accessible. Accessible property names are + are always accessible from the root of the\nobject. + No other metadata properties are accessible.\n\n\nOnly + property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` + are accessible.\nAccessible property names are escaped according to the following rules when - accessed in the expression: - '__' escapes to - '__underscores__' - '.' escapes to '__dot__' - - '-' escapes to '__dash__' - '/' escapes to - '__slash__' - Property names that exactly match + accessed in the expression:\n- '__' escapes + to '__underscores__'\n- '.' escapes to '__dot__'\n- + '-' escapes to '__dash__'\n- '/' escapes to + '__slash__'\n- Property names that exactly match a CEL RESERVED keyword escape to '__{keyword}__'. - The keywords are: \"true\", \"false\", \"null\", - \"in\", \"as\", \"break\", \"const\", \"continue\", - \"else\", \"for\", \"function\", \"if\", \"import\", - \"let\", \"loop\", \"package\", \"namespace\", - \"return\". Examples: - Expression accessing - a property named \"namespace\": {\"Expression\": - \"object.__namespace__ > 0\"} - Expression accessing - a property named \"x-prop\": {\"Expression\": - \"object.x__dash__prop > 0\"} - Expression accessing - a property named \"redact__d\": {\"Expression\": - \"object.redact__underscores__d > 0\"} \n Equality - on arrays with list type of 'set' or 'map' ignores - element order, i.e. [1, 2] == [2, 1]. Concatenation - on arrays with x-kubernetes-list-type use the - semantics of the list type: - 'set': `X + Y` - performs a union where the array positions of - all elements in `X` are preserved and non-intersecting + The keywords are:\n\t \"true\", \"false\", + \"null\", \"in\", \"as\", \"break\", \"const\", + \"continue\", \"else\", \"for\", \"function\", + \"if\",\n\t \"import\", \"let\", \"loop\", + \"package\", \"namespace\", \"return\".\nExamples:\n + \ - Expression accessing a property named \"namespace\": + {\"Expression\": \"object.__namespace__ > 0\"}\n + \ - Expression accessing a property named \"x-prop\": + {\"Expression\": \"object.x__dash__prop > 0\"}\n + \ - Expression accessing a property named \"redact__d\": + {\"Expression\": \"object.redact__underscores__d + > 0\"}\n\n\nEquality on arrays with list type + of 'set' or 'map' ignores element order, i.e. + [1, 2] == [2, 1].\nConcatenation on arrays with + x-kubernetes-list-type use the semantics of + the list type:\n - 'set': `X + Y` performs + a union where the array positions of all elements + in `X` are preserved and\n non-intersecting elements in `Y` are appended, retaining their - partial order. - 'map': `X + Y` performs a merge - where the array positions of all keys in `X` - are preserved but the values are overwritten - by values in `Y` when the key sets of `X` and - `Y` intersect. Elements in `Y` with non-intersecting - keys are appended, retaining their partial order. - Required." + partial order.\n - 'map': `X + Y` performs + a merge where the array positions of all keys + in `X` are preserved but the values\n are + overwritten by values in `Y` when the key sets + of `X` and `Y` intersect. Elements in `Y` with\n + \ non-intersecting keys are appended, retaining + their partial order.\nRequired." type: string message: - description: 'Message represents the message displayed - when validation fails. The message is required - if the Expression contains line breaks. The - message must not contain line breaks. If unset, - the message is "failed rule: {Rule}". e.g. "must - be a URL with the host matching spec.host" If - the Expression contains line breaks. Message - is required. The message must not contain line - breaks. If unset, the message is "failed Expression: - {Expression}".' + description: |- + Message represents the message displayed when validation fails. The message is required if the Expression contains + line breaks. The message must not contain line breaks. + If unset, the message is "failed rule: {Rule}". + e.g. "must be a URL with the host matching spec.host" + If the Expression contains line breaks. Message is required. + The message must not contain line breaks. + If unset, the message is "failed Expression: {Expression}". type: string messageExpression: - description: 'messageExpression declares a CEL - expression that evaluates to the validation - failure message that is returned when this rule - fails. Since messageExpression is used as a - failure message, it must evaluate to a string. - If both message and messageExpression are present - on a validation, then messageExpression will - be used if validation fails. If messageExpression - results in a runtime error, the runtime error - is logged, and the validation failure message - is produced as if the messageExpression field - were unset. If messageExpression evaluates to - an empty string, a string with only spaces, - or a string that contains line breaks, then - the validation failure message will also be - produced as if the messageExpression field were - unset, and the fact that messageExpression produced - an empty string/string with only spaces/string - with line breaks will be logged. messageExpression - has access to all the same variables as the - `expression` except for ''authorizer'' and ''authorizer.requestResource''. - Example: "object.x must be less than max ("+string(params.max)+")"' + description: |- + messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. + Since messageExpression is used as a failure message, it must evaluate to a string. + If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. + If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced + as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string + that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and + the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. + messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'. + Example: + "object.x must be less than max ("+string(params.max)+")" type: string reason: - description: 'Reason represents a machine-readable - description of why this validation failed. If - this is the first validation in the list to - fail, this reason, as well as the corresponding - HTTP response code, are used in the HTTP response - to the client. The currently supported reasons - are: "Unauthorized", "Forbidden", "Invalid", - "RequestEntityTooLarge". If not set, StatusReasonInvalid - is used in the response to the client.' + description: |- + Reason represents a machine-readable description of why this validation failed. + If this is the first validation in the list to fail, this reason, as well as the + corresponding HTTP response code, are used in the + HTTP response to the client. + The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge". + If not set, StatusReasonInvalid is used in the response to the client. type: string required: - expression @@ -2604,13 +2446,15 @@ spec: Version. properties: apiVersion: - description: APIVersion is the API group version - the resources belong to. In format of "group/version". + description: |- + APIVersion is the API group version the resources belong to. + In format of "group/version". Required. type: string kind: - description: Kind is the API kind the resources - belong to. Required. + description: |- + Kind is the API kind the resources belong to. + Required. type: string type: object x-kubernetes-map-type: atomic @@ -2618,77 +2462,82 @@ spec: description: ParamRef references a parameter resource. properties: name: - description: "`name` is the name of the resource - being referenced. \n `name` and `selector` are - mutually exclusive properties. If one is set, - the other must be unset." + description: |- + `name` is the name of the resource being referenced. + + + `name` and `selector` are mutually exclusive properties. If one is set, + the other must be unset. type: string namespace: - description: "namespace is the namespace of the - referenced resource. Allows limiting the search - for params to a specific namespace. Applies to - both `name` and `selector` fields. \n A per-namespace - parameter may be used by specifying a namespace-scoped - `paramKind` in the policy and leaving this field - empty. \n - If `paramKind` is cluster-scoped, - this field MUST be unset. Setting this field results - in a configuration error. \n - If `paramKind` - is namespace-scoped, the namespace of the object - being evaluated for admission will be used when - this field is left unset. Take care that if this - is left empty the binding must not match any cluster-scoped - resources, which will result in an error." + description: |- + namespace is the namespace of the referenced resource. Allows limiting + the search for params to a specific namespace. Applies to both `name` and + `selector` fields. + + + A per-namespace parameter may be used by specifying a namespace-scoped + `paramKind` in the policy and leaving this field empty. + + + - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this + field results in a configuration error. + + + - If `paramKind` is namespace-scoped, the namespace of the object being + evaluated for admission will be used when this field is left unset. Take + care that if this is left empty the binding must not match any cluster-scoped + resources, which will result in an error. type: string parameterNotFoundAction: - description: "`parameterNotFoundAction` controls - the behavior of the binding when the resource - exists, and name or selector is valid, but there - are no parameters matched by the binding. If the - value is set to `Allow`, then no matched parameters - will be treated as successful validation by the - binding. If set to `Deny`, then no matched parameters - will be subject to the `failurePolicy` of the - policy. \n Allowed values are `Allow` or `Deny` - Default to `Deny`" + description: |- + `parameterNotFoundAction` controls the behavior of the binding when the resource + exists, and name or selector is valid, but there are no parameters + matched by the binding. If the value is set to `Allow`, then no + matched parameters will be treated as successful validation by the binding. + If set to `Deny`, then no matched parameters will be subject to the + `failurePolicy` of the policy. + + + Allowed values are `Allow` or `Deny` + Default to `Deny` type: string selector: - description: "selector can be used to match multiple - param objects based on their labels. Supply selector: - {} to match all resources of the ParamKind. \n - If multiple params are found, they are all evaluated - with the policy expressions and the results are - ANDed together. \n One of `name` or `selector` - must be set, but `name` and `selector` are mutually - exclusive properties. If one is set, the other - must be unset." + description: |- + selector can be used to match multiple param objects based on their labels. + Supply selector: {} to match all resources of the ParamKind. + + + If multiple params are found, they are all evaluated with the policy expressions + and the results are ANDed together. + + + One of `name` or `selector` must be set, but `name` and `selector` are + mutually exclusive properties. If one is set, the other must be unset. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -2701,40 +2550,34 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object x-kubernetes-map-type: atomic variables: - description: Variables contain definitions of variables - that can be used in composition of other expressions. + description: |- + Variables contain definitions of variables that can be used in composition of other expressions. Each variable is defined as a named CEL expression. - The variables defined here will be available under - `variables` in other expressions of the policy. + The variables defined here will be available under `variables` in other expressions of the policy. items: description: Variable is the definition of a variable that is used for composition. properties: expression: - description: Expression is the expression that - will be evaluated as the value of the variable. - The CEL expression has access to the same identifiers - as the CEL expressions in Validation. + description: |- + Expression is the expression that will be evaluated as the value of the variable. + The CEL expression has access to the same identifiers as the CEL expressions in Validation. type: string name: - description: Name is the name of the variable. - The name must be a valid CEL identifier and - unique among all variables. The variable can - be accessed in other expressions through `variables` - For example, if name is "foo", the variable - will be available as `variables.foo` + description: |- + Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables. + The variable can be accessed in other expressions through `variables` + For example, if name is "foo", the variable will be available as `variables.foo` type: string required: - expression @@ -2747,11 +2590,11 @@ spec: a validation rule. properties: conditions: - description: 'Multiple conditions can be declared under - an `any` or `all` statement. A direct list of conditions - (without `any` or `all` statements) is also supported - for backwards compatibility but will be deprecated - in the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object foreach: @@ -2765,23 +2608,22 @@ spec: the specified logic. properties: anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must be satisfied - for the validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true context: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data @@ -2803,14 +2645,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -2825,25 +2665,24 @@ spec: JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate the server certificate. type: string url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -2861,8 +2700,8 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. properties: imageRegistryCredentials: @@ -2875,11 +2714,9 @@ spec: insecure access to a registry. type: boolean providers: - description: 'Providers specifies a - list of OCI Registry names, whose - authentication providers are provided. - It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -2893,23 +2730,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list - of secrets that are provided for credentials. + description: |- + Secrets specifies a list of secrets that are provided for credentials. Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -2922,15 +2759,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON @@ -2944,47 +2780,43 @@ spec: or fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct - list of conditions (without `any` or `all` statements) - is also supported for backwards compatibility + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object elementScope: - description: ElementScope specifies whether to use - the current list element as the scope for validation. - Defaults to "true" if not specified. When set to - "false", "request.object" is used as the validation - scope within the foreach block to allow referencing - other elements in the subtree. + description: |- + ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified. + When set to "false", "request.object" is used as the validation scope within the foreach + block to allow referencing other elements in the subtree. type: boolean foreach: description: Foreach declares a nested foreach iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which the - validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string pattern: description: Pattern specifies an overlay-style pattern used to check resources. x-kubernetes-preserve-unknown-fields: true preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, all of the conditions need to - pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -2998,13 +2830,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -3024,20 +2854,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, at least one of the conditions - need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -3051,13 +2879,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -3077,10 +2903,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -3102,31 +2927,25 @@ spec: items: properties: count: - description: Count specifies the required number - of entries that must match. If the count is - null, all entries must match (a logical AND). - If the count is 1, at least one entry must match - (a logical OR). If the count contains a value - N, then N must be less than or equal to the - size of entries, and at least N entries must - match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available attestors. - An attestor can be a static key, attributes - for keyless verification, or a nested attestor - declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for image - verification. Every specified key-value - pair must exist and match in the verified - payload. The payload may contain other - key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set of @@ -3147,19 +2966,14 @@ spec: to verify. type: string ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate Timestamps - (SCTs). If the value is unset, the - default behavior by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate - Timestamp (SCT) log to check for - a certificate timestamp. Default - is false. Set to true if this - was opted out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -3167,33 +2981,25 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the root - CA certificate. Optionally may - contain intermediate CA certificates, - and may contain the leaf TSA certificate - if not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use - for a custom Rekor. If set, this - will be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -3204,8 +3010,8 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: @@ -3216,19 +3022,14 @@ spec: signing. type: object ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate Timestamps - (SCTs). If the value is unset, the - default behavior by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate - Timestamp (SCT) log to check for - a certificate timestamp. Default - is false. Set to true if this - was opted out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -3236,14 +3037,10 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the root - CA certificate. Optionally may - contain intermediate CA certificates, - and may contain the leaf TSA certificate - if not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -3251,22 +3048,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use - for a custom Rekor. If set, this - will be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -3276,10 +3069,9 @@ spec: type: string type: object roots: - description: Roots is an optional set - of PEM encoded trusted root certificates. - If not provided, the system roots - are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -3292,19 +3084,14 @@ spec: public keys. properties: ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate Timestamps - (SCTs). If the value is unset, the - default behavior by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate - Timestamp (SCT) log to check for - a certificate timestamp. Default - is false. Set to true if this - was opted out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -3312,57 +3099,41 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the root - CA certificate. Optionally may - contain intermediate CA certificates, - and may contain the leaf TSA certificate - if not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI to - the public key stored in a Key Management - System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image signatures. - The keys can be directly specified - or can be a variable reference to - a key specified in a ConfigMap (see - https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster by - specifying it in the format "k8s:///". - The named Secret must specify a key - `cosign.pub` containing the public - key used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each - key is processed as a separate staticKey - entry (.attestors[*].entries.keys) - within the set of attestors and the - count is applied across the keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use - for a custom Rekor. If set, this - will be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -3396,12 +3167,9 @@ spec: type: string type: object repository: - description: Repository is an optional alternate - OCI repository to use for signatures and - attestations that match this rule. If - specified Repository will override other - OCI image repository locations for this - Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -3442,9 +3210,9 @@ spec: type: object type: array repository: - description: Repository is an optional alternate OCI - repository to use for resource bundle reference. The - repository can be overridden per Attestor or Attestation. + description: |- + Repository is an optional alternate OCI repository to use for resource bundle reference. + The repository can be overridden per Attestor or Attestation. type: string type: object message: @@ -3456,9 +3224,9 @@ spec: used to check resources. x-kubernetes-preserve-unknown-fields: true podSecurity: - description: PodSecurity applies exemptions for Kubernetes - Pod Security admission by specifying exclusions for Pod - Security Standards controls. + description: |- + PodSecurity applies exemptions for Kubernetes Pod Security admission + by specifying exclusions for Pod Security Standards controls. properties: exclude: description: Exclude specifies the Pod Security Standard @@ -3468,8 +3236,9 @@ spec: Security Standard controls to be excluded. properties: controlName: - description: 'ControlName specifies the name of - the Pod Security Standard control. See: https://kubernetes.io/docs/concepts/security/pod-security-standards/' + description: |- + ControlName specifies the name of the Pod Security Standard control. + See: https://kubernetes.io/docs/concepts/security/pod-security-standards/ enum: - HostProcess - Host Namespaces @@ -3488,13 +3257,11 @@ spec: - Running as Non-root user type: string images: - description: 'Images selects matching containers - and applies the container level PSS. Each image - is the image name consisting of the registry - address, repository, image, and tag. Empty list - matches no containers, PSS checks are applied - at the pod level only. Wildcards (''*'' and - ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' + description: |- + Images selects matching containers and applies the container level PSS. + Each image is the image name consisting of the registry address, repository, image, and tag. + Empty list matches no containers, PSS checks are applied at the pod level only. + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -3503,19 +3270,18 @@ spec: type: object type: array level: - description: Level defines the Pod Security Standard - level to be applied to workloads. Allowed values are - privileged, baseline, and restricted. + description: |- + Level defines the Pod Security Standard level to be applied to workloads. + Allowed values are privileged, baseline, and restricted. enum: - privileged - baseline - restricted type: string version: - description: Version defines the Pod Security Standard - versions that Kubernetes supports. Allowed values - are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, - v1.26, latest. Defaults to latest. + description: |- + Version defines the Pod Security Standard versions that Kubernetes supports. + Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, latest. Defaults to latest. enum: - v1.19 - v1.20 @@ -3533,10 +3299,10 @@ spec: description: VerifyImages is used to verify image signatures and mutate them to add a digest items: - description: ImageVerification validates that images that - match the specified pattern are signed with the supplied - public key. Once the image is verified it is mutated to - include the SHA digest retrieved during the registration. + description: |- + ImageVerification validates that images that match the specified pattern + are signed with the supplied public key. Once the image is verified it is + mutated to include the SHA digest retrieved during the registration. properties: additionalExtensions: additionalProperties: @@ -3550,16 +3316,15 @@ spec: instead. type: object attestations: - description: Attestations are optional checks for signed - in-toto Statements used to verify the image. See https://github.com/in-toto/attestation. - Kyverno fetches signed attestations from the OCI registry - and decodes them into a list of Statement declarations. + description: |- + Attestations are optional checks for signed in-toto Statements used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statement declarations. items: - description: Attestation are checks for signed in-toto - Statements that are used to verify the image. See - https://github.com/in-toto/attestation. Kyverno fetches - signed attestations from the OCI registry and decodes - them into a list of Statements. + description: |- + Attestation are checks for signed in-toto Statements that are used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statements. properties: attestors: description: Attestors specify the required attestors @@ -3567,31 +3332,25 @@ spec: items: properties: count: - description: Count specifies the required - number of entries that must match. If the - count is null, all entries must match (a - logical AND). If the count is 1, at least - one entry must match (a logical OR). If - the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or - a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set @@ -3612,21 +3371,14 @@ spec: used to verify. type: string ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -3634,36 +3386,25 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -3674,9 +3415,9 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless - attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: additionalProperties: @@ -3686,21 +3427,14 @@ spec: for keyless signing. type: object ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -3708,15 +3442,10 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -3724,24 +3453,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -3751,10 +3474,9 @@ spec: type: string type: object roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, - the system roots are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -3767,21 +3489,14 @@ spec: public keys. properties: ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -3789,63 +3504,41 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI - to the public key stored in a - Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable - reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -3881,37 +3574,30 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository - will override other OCI image repository - locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array type: object type: array conditions: - description: Conditions are used to verify attributes - within a Predicate. If no Conditions are specified - the attestation check is satisfied as long there - are predicates that match the predicate type. + description: |- + Conditions are used to verify attributes within a Predicate. If no Conditions are specified + the attestation check is satisfied as long there are predicates that match the predicate type. items: - description: AnyAllConditions consists of conditions - wrapped denoting a logical criteria to be fulfilled. - AnyConditions get fulfilled when at least one - of its sub-conditions passes. AllConditions - get fulfilled only when all of its sub-conditions - pass. + description: |- + AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled. + AnyConditions get fulfilled when at least one of its sub-conditions passes. + AllConditions get fulfilled only when all of its sub-conditions pass. properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -3926,14 +3612,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -3953,20 +3636,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -3981,14 +3662,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -4008,10 +3686,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -4033,29 +3710,25 @@ spec: items: properties: count: - description: Count specifies the required number - of entries that must match. If the count is null, - all entries must match (a logical AND). If the - count is 1, at least one entry must match (a logical - OR). If the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available attestors. - An attestor can be a static key, attributes for - keyless verification, or a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for image - verification. Every specified key-value - pair must exist and match in the verified - payload. The payload may contain other key-value - pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set of Attestor @@ -4076,19 +3749,14 @@ spec: to verify. type: string ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for validation - of Signed Certificate Timestamps (SCTs). - If the value is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate Timestamp - (SCT) log to check for a certificate - timestamp. Default is false. Set - to true if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is used @@ -4096,33 +3764,25 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate chain - file for the RFC3161 timestamp authority. - Must contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use for - a custom Rekor. If set, this will - be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address of @@ -4132,8 +3792,8 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: @@ -4144,19 +3804,14 @@ spec: signing. type: object ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for validation - of Signed Certificate Timestamps (SCTs). - If the value is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate Timestamp - (SCT) log to check for a certificate - timestamp. Default is false. Set - to true if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is used @@ -4164,14 +3819,10 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate chain - file for the RFC3161 timestamp authority. - Must contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -4179,22 +3830,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use for - a custom Rekor. If set, this will - be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address of @@ -4203,10 +3850,9 @@ spec: type: string type: object roots: - description: Roots is an optional set - of PEM encoded trusted root certificates. - If not provided, the system roots are - used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified identity @@ -4219,19 +3865,14 @@ spec: keys. properties: ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for validation - of Signed Certificate Timestamps (SCTs). - If the value is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate Timestamp - (SCT) log to check for a certificate - timestamp. Default is false. Set - to true if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is used @@ -4239,56 +3880,41 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate chain - file for the RFC3161 timestamp authority. - Must contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI to - the public key stored in a Key Management - System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 public - keys used to verify image signatures. - The keys can be directly specified or - can be a variable reference to a key - specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes Secret - elsewhere in the cluster by specifying - it in the format "k8s:///". - The named Secret must specify a key - `cosign.pub` containing the public key - used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each - key is processed as a separate staticKey - entry (.attestors[*].entries.keys) within - the set of attestors and the count is - applied across the keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use for - a custom Rekor. If set, this will - be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address of @@ -4321,11 +3947,9 @@ spec: type: string type: object repository: - description: Repository is an optional alternate - OCI repository to use for signatures and - attestations that match this rule. If specified - Repository will override other OCI image - repository locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -4335,13 +3959,11 @@ spec: description: Deprecated. Use ImageReferences instead. type: string imageReferences: - description: 'ImageReferences is a list of matching image - reference patterns. At least one pattern in the list - must match the image for the rule to apply. Each image - reference consists of a registry address (defaults to - docker.io), repository, image, and tag (defaults to - latest). Wildcards (''*'' and ''?'') are allowed. See: - https://kubernetes.io/docs/concepts/containers/images.' + description: |- + ImageReferences is a list of matching image reference patterns. At least one pattern in the + list must match the image for the rule to apply. Each image reference consists of a registry + address (defaults to docker.io), repository, image, and tag (defaults to latest). + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -4354,9 +3976,9 @@ spec: access to a registry. type: boolean providers: - description: 'Providers specifies a list of OCI Registry - names, whose authentication providers are provided. - It can be of one of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers required. @@ -4369,9 +3991,9 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets that - are provided for credentials. Secrets must live - in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array @@ -4384,16 +4006,15 @@ spec: type: string mutateDigest: default: true - description: MutateDigest enables replacement of image - tags with digests. Defaults to true. + description: |- + MutateDigest enables replacement of image tags with digests. + Defaults to true. type: boolean repository: - description: Repository is an optional alternate OCI repository - to use for image signatures and attestations that match - this rule. If specified Repository will override the - default OCI image repository configured for the installation. - The repository can also be overridden per Attestor or - Attestation. + description: |- + Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule. + If specified Repository will override the default OCI image repository configured for the installation. + The repository can also be overridden per Attestor or Attestation. type: string required: default: true @@ -4408,9 +4029,9 @@ spec: description: Deprecated. Use KeylessAttestor instead. type: string type: - description: Type specifies the method of signature validation. - The allowed options are Cosign and Notary. By default - Cosign is used if a type is not specified. + description: |- + Type specifies the method of signature validation. The allowed options + are Cosign and Notary. By default Cosign is used if a type is not specified. enum: - Cosign - Notary @@ -4432,23 +4053,23 @@ spec: type: object type: array schemaValidation: - description: SchemaValidation skips validation checks for policies - as well as patched resources. Optional. The default value is set - to "true", it must be set to "false" to disable the validation checks. + description: |- + SchemaValidation skips validation checks for policies as well as patched resources. + Optional. The default value is set to "true", it must be set to "false" to disable the validation checks. type: boolean useServerSideApply: - description: UseServerSideApply controls whether to use server-side - apply for generate rules If is set to "true" create & update for - generate rules will use apply instead of create/update. Defaults - to "false" if not specified. + description: |- + UseServerSideApply controls whether to use server-side apply for generate rules + If is set to "true" create & update for generate rules will use apply instead of create/update. + Defaults to "false" if not specified. type: boolean validationFailureAction: default: Audit - description: ValidationFailureAction defines if a validation policy - rule violation should block the admission review request (enforce), - or allow (audit) the admission review request and report an error - in a policy report. Optional. Allowed values are audit or enforce. - The default value is "Audit". + description: |- + ValidationFailureAction defines if a validation policy rule violation should block + the admission review request (enforce), or allow (audit) the admission review request + and report an error in a policy report. Optional. + Allowed values are audit or enforce. The default value is "Audit". enum: - audit - enforce @@ -4456,9 +4077,9 @@ spec: - Enforce type: string validationFailureActionOverrides: - description: ValidationFailureActionOverrides is a Cluster Policy - attribute that specifies ValidationFailureAction namespace-wise. - It overrides ValidationFailureAction for the specified namespaces. + description: |- + ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction + namespace-wise. It overrides ValidationFailureAction for the specified namespaces. items: properties: action: @@ -4471,34 +4092,34 @@ spec: - Enforce type: string namespaceSelector: - description: A label selector is a label query over a set of - resources. The result of matchLabels and matchExpressions - are ANDed. An empty label selector matches all objects. A - null label selector matches no objects. + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. - If the operator is In or NotIn, the values array - must be non-empty. If the operator is Exists or - DoesNotExist, the values array must be empty. This - array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -4510,11 +4131,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -4525,11 +4145,10 @@ spec: type: object type: array webhookTimeoutSeconds: - description: WebhookTimeoutSeconds specifies the maximum time in seconds - allowed to apply this policy. After the configured time expires, - the admission request may fail, or may simply ignore the policy - results, based on the failure policy. The default timeout is 10s, - the value must be between 1 and 30 seconds. + description: |- + WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. + After the configured time expires, the admission request may fail, or may simply ignore the policy results, + based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds. format: int32 type: integer type: object @@ -4544,51 +4163,49 @@ spec: description: Rules is a list of Rule instances. It contains auto generated rules added for pod controllers items: - description: Rule defines a validation, mutation, or generation - control for matching resources. Each rules contains a match - declaration to select resources, and an optional exclude declaration - to specify which resources to exclude. + description: |- + Rule defines a validation, mutation, or generation control for matching resources. + Each rules contains a match declaration to select resources, and an optional exclude + declaration to specify which resources to exclude. properties: celPreconditions: - description: CELPreconditions are used to determine if a - policy rule should be applied by evaluating a set of CEL - conditions. It can only be used with the validate.cel - subrule + description: |- + CELPreconditions are used to determine if a policy rule should be applied by evaluating a + set of CEL conditions. It can only be used with the validate.cel subrule items: description: MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook. properties: expression: - description: "Expression represents the expression - which will be evaluated by CEL. Must evaluate to - bool. CEL expressions have access to the contents - of the AdmissionRequest and Authorizer, organized - into CEL variables: \n 'object' - The object from - the incoming request. The value is null for DELETE - requests. 'oldObject' - The existing object. The - value is null for CREATE requests. 'request' - Attributes - of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). - 'authorizer' - A CEL Authorizer. May be used to - perform authorization checks for the principal (user - or service account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - 'authorizer.requestResource' - A CEL ResourceCheck - constructed from the 'authorizer' and configured - with the request resource. Documentation on CEL: - https://kubernetes.io/docs/reference/using-api/cel/ - \n Required." + description: |- + Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. + CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: + + + 'object' - The object from the incoming request. The value is null for DELETE requests. + 'oldObject' - The existing object. The value is null for CREATE requests. + 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. + See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the + request resource. + Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ + + + Required. type: string name: - description: "Name is an identifier for this match - condition, used for strategic merging of MatchConditions, - as well as providing an identifier for logging purposes. - A good name should be descriptive of the associated - expression. Name must be a qualified name consisting - of alphanumeric characters, '-', '_' or '.', and - must start and end with an alphanumeric character - (e.g. 'MyName', or 'my.name', or '123-abc', regex - used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') - with an optional DNS subdomain prefix and '/' (e.g. - 'example.com/MyName') \n Required." + description: |- + Name is an identifier for this match condition, used for strategic merging of MatchConditions, + as well as providing an identifier for logging purposes. A good name should be descriptive of + the associated expression. + Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and + must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or + '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an + optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') + + + Required. type: string required: - expression @@ -4599,15 +4216,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data sources - to a rule Context. Either a ConfigMap reference or a - APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the Kubernetes - API server, or other JSON web service. The data - returned is stored in the context with the name - for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data sent @@ -4629,13 +4245,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON Match - Expression that can be used to transform the - JSON response returned from the server. For - example a JMESPath of "items | length(@)" applied - to the API server response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across - all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -4650,23 +4265,24 @@ spec: web service properties: caBundle: - description: CABundle is a PEM encoded CA - bundle which will be used to validate the - server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web service URL. - A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to be used - in the HTTP GET or POST request to the Kubernetes - API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used - by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -4683,8 +4299,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests to an - OCI/Docker V2 registry to fetch image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials provides @@ -4696,10 +4313,9 @@ spec: insecure access to a registry. type: boolean providers: - description: 'Providers specifies a list of - OCI Registry names, whose authentication - providers are provided. It can be of one - of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers @@ -4713,23 +4329,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets - that are provided for credentials. Secrets - must live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON Match - Expression that can be used to transform the - ImageData struct returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference to - a container image in the registry. Example: - ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -4742,14 +4358,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take if the - JMESPath expression evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform the - variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON object @@ -4759,11 +4375,10 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when this policy rule - should not be applied. The exclude criteria can include - resource information (e.g. kind, name, namespace, labels) - and admission review request information like the name - or role. + description: |- + ExcludeResources defines when this policy rule should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. properties: all: description: All allows specifying resources which will @@ -4785,10 +4400,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -4797,60 +4411,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -4863,20 +4466,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -4897,44 +4497,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -4947,12 +4538,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -4967,36 +4556,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -5026,10 +4607,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -5038,60 +4618,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -5104,20 +4673,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -5138,44 +4704,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -5188,12 +4745,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -5208,36 +4763,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -5254,21 +4801,19 @@ spec: type: string type: array resources: - description: ResourceDescription contains information - about the resource being created or modified. Requires - at least one tag to be specified when under MatchResources. - Specifying ResourceDescription directly under match - is being deprecated. Please specify under "any" or - "all" instead. + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" - (matches zero or many characters) and "?" (matches - at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -5276,57 +4821,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated in - favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key and - value but does not match an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -5339,20 +4876,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -5372,42 +4906,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) - and `?` (matches one character). Wildcards allows - writing label selectors like ["storage.k8s.io/*": - "*"]. Note that using ["*" : "*"] matches any - key and value but does not match an empty label - set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -5420,12 +4947,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -5440,32 +4965,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or - a value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the - referenced subject. Defaults to "" for ServiceAccount - subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the - Authorizer should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -5481,11 +5002,10 @@ spec: description: APIVersion specifies resource apiVersion. type: string clone: - description: Clone specifies the source resource used - to populate each generated resource. At most one of - Data or Clone can be specified. If neither are provided, - the generated resource will be created with default - data only. + description: |- + Clone specifies the source resource used to populate each generated resource. + At most one of Data or Clone can be specified. If neither are provided, the generated + resource will be created with default data only. properties: name: description: Name specifies name of the resource. @@ -5509,37 +5029,33 @@ spec: namespace. type: string selector: - description: Selector is a label selector. Label - keys and values in `matchLabels`. wildcard characters - are not supported. + description: |- + Selector is a label selector. Label keys and values in `matchLabels`. + wildcard characters are not supported. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -5552,22 +5068,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object data: - description: Data provides the resource declaration - used to populate each generated resource. At most - one of Data or Clone must be specified. If neither - are provided, the generated resource will be created - with default data only. + description: |- + Data provides the resource declaration used to populate each generated resource. + At most one of Data or Clone must be specified. If neither are provided, the generated + resource will be created with default data only. x-kubernetes-preserve-unknown-fields: true kind: description: Kind specifies resource kind. @@ -5579,11 +5092,10 @@ spec: description: Namespace specifies resource namespace. type: string synchronize: - description: Synchronize controls if generated resources - should be kept in-sync with their source resource. - If Synchronize is set to "true" changes to generated - resources will be overwritten with resource data from - Data or the resource specified in the Clone declaration. + description: |- + Synchronize controls if generated resources should be kept in-sync with their source resource. + If Synchronize is set to "true" changes to generated resources will be overwritten with resource + data from Data or the resource specified in the Clone declaration. Optional. Defaults to "false" if not specified. type: boolean uid: @@ -5595,50 +5107,46 @@ spec: items: properties: jmesPath: - description: 'JMESPath is an optional JMESPath expression - to apply to the image value. This is useful when - the extracted image begins with a prefix like - ''docker://''. The ''trim_prefix'' function may - be used to trim the prefix: trim_prefix(@, ''docker://''). - Note - Image digest mutation may not be used when - applying a JMESPAth to an image.' + description: |- + JMESPath is an optional JMESPath expression to apply to the image value. + This is useful when the extracted image begins with a prefix like 'docker://'. + The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://'). + Note - Image digest mutation may not be used when applying a JMESPAth to an image. type: string key: - description: Key is an optional name of the field - within 'path' that will be used to uniquely identify - an image. Note - this field MUST be unique. + description: |- + Key is an optional name of the field within 'path' that will be used to uniquely identify an image. + Note - this field MUST be unique. type: string name: - description: Name is the entry the image will be - available under 'images.' in the context. - If this field is not defined, image entries will - appear under 'images.custom'. + description: |- + Name is the entry the image will be available under 'images.' in the context. + If this field is not defined, image entries will appear under 'images.custom'. type: string path: - description: Path is the path to the object containing - the image field in a custom resource. It should - be slash-separated. Each slash-separated key must - be a valid YAML key or a wildcard '*'. Wildcard - keys are expanded in case of arrays or objects. + description: |- + Path is the path to the object containing the image field in a custom resource. + It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'. + Wildcard keys are expanded in case of arrays or objects. type: string value: - description: Value is an optional name of the field - within 'path' that points to the image URI. This - is useful when a custom 'key' is also defined. + description: |- + Value is an optional name of the field within 'path' that points to the image URI. + This is useful when a custom 'key' is also defined. type: string required: - path type: object type: array - description: ImageExtractors defines a mapping from kinds - to ImageExtractorConfigs. This config is only valid for - verifyImages rules. + description: |- + ImageExtractors defines a mapping from kinds to ImageExtractorConfigs. + This config is only valid for verifyImages rules. type: object match: - description: MatchResources defines when this policy rule - should be applied. The match criteria can include resource - information (e.g. kind, name, namespace, labels) and admission - review request information like the user name or role. + description: |- + MatchResources defines when this policy rule should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. At least one kind is required. properties: all: @@ -5661,10 +5169,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -5673,60 +5180,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -5739,20 +5235,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -5773,44 +5266,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -5823,12 +5307,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -5843,36 +5325,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -5902,10 +5376,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -5914,60 +5387,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -5980,20 +5442,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -6014,44 +5473,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -6064,12 +5514,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -6084,36 +5532,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -6130,21 +5570,19 @@ spec: type: string type: array resources: - description: ResourceDescription contains information - about the resource being created or modified. Requires - at least one tag to be specified when under MatchResources. - Specifying ResourceDescription directly under match - is being deprecated. Please specify under "any" or - "all" instead. + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" - (matches zero or many characters) and "?" (matches - at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -6152,57 +5590,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated in - favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key and - value but does not match an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -6215,20 +5645,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -6248,42 +5675,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) - and `?` (matches one character). Wildcards allows - writing label selectors like ["storage.k8s.io/*": - "*"]. Note that using ["*" : "*"] matches any - key and value but does not match an empty label - set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -6296,12 +5716,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -6316,32 +5734,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or - a value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the - referenced subject. Defaults to "" for ServiceAccount - subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the - Authorizer should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -6368,16 +5782,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST @@ -6400,15 +5812,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -6423,25 +5832,23 @@ spec: to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web - service URL. A typical form is + description: |- + URL is the JSON web service URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string @@ -6461,9 +5868,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials @@ -6475,11 +5882,9 @@ spec: allows insecure access to a registry. type: boolean providers: - description: 'Providers specifies - a list of OCI Registry names, - whose authentication providers - are provided. It can be of one - of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -6493,25 +5898,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a - list of secrets that are provided - for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -6525,15 +5928,14 @@ spec: defined inline. properties: default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary @@ -6548,43 +5950,41 @@ spec: iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which - the validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string order: - description: Order defines the iteration order - on the list. Can be Ascending to iterate from - first to last element or Descending to iterate - in from last to first element. + description: |- + Order defines the iteration order on the list. + Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element. enum: - Ascending - Descending type: string patchStrategicMerge: - description: PatchStrategicMerge is a strategic - merge patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC - 6902 JSON Patch declarations used to modify - resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -6599,14 +5999,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -6626,20 +6023,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -6654,14 +6049,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -6681,10 +6073,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -6693,14 +6084,15 @@ spec: type: object type: array patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge - patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON - Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string targets: description: Targets defines the target resources to @@ -6716,16 +6108,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST @@ -6748,15 +6138,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -6771,25 +6158,23 @@ spec: to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web - service URL. A typical form is + description: |- + URL is the JSON web service URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string @@ -6809,9 +6194,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials @@ -6823,11 +6208,9 @@ spec: allows insecure access to a registry. type: boolean providers: - description: 'Providers specifies - a list of OCI Registry names, - whose authentication providers - are provided. It can be of one - of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -6841,25 +6224,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a - list of secrets that are provided - for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -6873,15 +6254,14 @@ spec: defined inline. properties: default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary @@ -6901,14 +6281,12 @@ spec: description: Namespace specifies resource namespace. type: string preconditions: - description: 'Preconditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. A direct list - of conditions (without `any` or `all` statements - is supported for backwards compatibility but + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/preconditions/' + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true uid: description: UID specifies the resource uid. @@ -6922,27 +6300,32 @@ spec: maxLength: 63 type: string preconditions: - description: 'Preconditions are used to determine if a policy - rule should be applied by evaluating a set of conditions. - The declaration can contain nested `any` or `all` statements. - A direct list of conditions (without `any` or `all` statements - is supported for backwards compatibility but will be deprecated - in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true skipBackgroundRequests: default: true - description: SkipBackgroundRequests bypasses admission requests - that are sent by the background controller. The default - value is set to "true", it must be set to "false" to apply + description: |- + SkipBackgroundRequests bypasses admission requests that are sent by the background controller. + The default value is set to "true", it must be set to "false" to apply generate and mutateExisting rules to those requests. type: boolean validate: description: Validation is used to validate matching resources. properties: + allowExistingViolations: + default: true + description: AllowExistingViolations allows prexisting + violating resources to continue violating a policy. + type: boolean anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must be satisfied - for the validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true cel: description: CEL allows validation checks using the @@ -6957,41 +6340,45 @@ spec: produce an audit annotation for an API request. properties: key: - description: "key specifies the audit annotation - key. The audit annotation keys of a ValidatingAdmissionPolicy - must be unique. The key must be a qualified - name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more - than 63 bytes in length. \n The key is combined - with the resource name of the ValidatingAdmissionPolicy - to construct an audit annotation key: \"{ValidatingAdmissionPolicy - name}/{key}\". \n If an admission webhook - uses the same resource name as this ValidatingAdmissionPolicy - and the same audit annotation key, the annotation - key will be identical. In this case, the - first annotation written with the key will - be included in the audit event and all subsequent - annotations with the same key will be discarded. - \n Required." + description: |- + key specifies the audit annotation key. The audit annotation keys of + a ValidatingAdmissionPolicy must be unique. The key must be a qualified + name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length. + + + The key is combined with the resource name of the + ValidatingAdmissionPolicy to construct an audit annotation key: + "{ValidatingAdmissionPolicy name}/{key}". + + + If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy + and the same audit annotation key, the annotation key will be identical. + In this case, the first annotation written with the key will be included + in the audit event and all subsequent annotations with the same key + will be discarded. + + + Required. type: string valueExpression: - description: "valueExpression represents the - expression which is evaluated by CEL to - produce an audit annotation value. The expression - must evaluate to either a string or null - value. If the expression evaluates to a - string, the audit annotation is included - with the string value. If the expression - evaluates to null or empty string the audit - annotation will be omitted. The valueExpression - may be no longer than 5kb in length. If - the result of the valueExpression is more - than 10kb in length, it will be truncated - to 10kb. \n If multiple ValidatingAdmissionPolicyBinding - resources match an API request, then the - valueExpression will be evaluated for each - binding. All unique values produced by the - valueExpressions will be joined together - in a comma-separated list. \n Required." + description: |- + valueExpression represents the expression which is evaluated by CEL to + produce an audit annotation value. The expression must evaluate to either + a string or null value. If the expression evaluates to a string, the + audit annotation is included with the string value. If the expression + evaluates to null or empty string the audit annotation will be omitted. + The valueExpression may be no longer than 5kb in length. + If the result of the valueExpression is more than 10kb in length, it + will be truncated to 10kb. + + + If multiple ValidatingAdmissionPolicyBinding resources match an + API request, then the valueExpression will be evaluated for + each binding. All unique values produced by the valueExpressions + will be joined together in a comma-separated list. + + + Required. type: string required: - key @@ -7007,124 +6394,104 @@ spec: properties: expression: description: "Expression represents the expression - which will be evaluated by CEL. ref: https://github.com/google/cel-spec - CEL expressions have access to the contents + which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL + expressions have access to the contents of the API request/response, organized into CEL variables as well as some other useful - variables: \n - 'object' - The object from - the incoming request. The value is null - for DELETE requests. - 'oldObject' - The - existing object. The value is null for CREATE - requests. - 'request' - Attributes of the - API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - - 'params' - Parameter resource referred - to by the policy binding being evaluated. - Only populated if the policy has a ParamKind. - - 'namespaceObject' - The namespace object + variables:\n\n\n- 'object' - The object + from the incoming request. The value is + null for DELETE requests.\n- 'oldObject' + - The existing object. The value is null + for CREATE requests.\n- 'request' - Attributes + of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- + 'params' - Parameter resource referred to + by the policy binding being evaluated. Only + populated if the policy has a ParamKind.\n- + 'namespaceObject' - The namespace object that the incoming object belongs to. The - value is null for cluster-scoped resources. - - 'variables' - Map of composited variables, - from its name to its lazily evaluated value. - For example, a variable named 'foo' can - be accessed as 'variables.foo'. - 'authorizer' + value is null for cluster-scoped resources.\n- + 'variables' - Map of composited variables, + from its name to its lazily evaluated value.\n + \ For example, a variable named 'foo' can + be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user - or service account) of the request. See - https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - - 'authorizer.requestResource' - A CEL ResourceCheck + or service account) of the request.\n See + https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured - with the request resource. \n The `apiVersion`, + with the\n request resource.\n\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` - are always accessible from the root of the - object. No other metadata properties are - accessible. \n Only property names of the - form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are - accessible. Accessible property names are - escaped according to the following rules - when accessed in the expression: - '__' - escapes to '__underscores__' - '.' escapes - to '__dot__' - '-' escapes to '__dash__' - - '/' escapes to '__slash__' - Property - names that exactly match a CEL RESERVED - keyword escape to '__{keyword}__'. The keywords - are: \"true\", \"false\", \"null\", \"in\", - \"as\", \"break\", \"const\", \"continue\", - \"else\", \"for\", \"function\", \"if\", - \"import\", \"let\", \"loop\", \"package\", - \"namespace\", \"return\". Examples: - Expression - accessing a property named \"namespace\": - {\"Expression\": \"object.__namespace__ - > 0\"} - Expression accessing a property + are always accessible from the root of the\nobject. + No other metadata properties are accessible.\n\n\nOnly + property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` + are accessible.\nAccessible property names + are escaped according to the following rules + when accessed in the expression:\n- '__' + escapes to '__underscores__'\n- '.' escapes + to '__dot__'\n- '-' escapes to '__dash__'\n- + '/' escapes to '__slash__'\n- Property names + that exactly match a CEL RESERVED keyword + escape to '__{keyword}__'. The keywords + are:\n\t \"true\", \"false\", \"null\", + \"in\", \"as\", \"break\", \"const\", \"continue\", + \"else\", \"for\", \"function\", \"if\",\n\t + \ \"import\", \"let\", \"loop\", \"package\", + \"namespace\", \"return\".\nExamples:\n + \ - Expression accessing a property named + \"namespace\": {\"Expression\": \"object.__namespace__ + > 0\"}\n - Expression accessing a property named \"x-prop\": {\"Expression\": \"object.x__dash__prop - > 0\"} - Expression accessing a property + > 0\"}\n - Expression accessing a property named \"redact__d\": {\"Expression\": \"object.redact__underscores__d - > 0\"} \n Equality on arrays with list type - of 'set' or 'map' ignores element order, - i.e. [1, 2] == [2, 1]. Concatenation on + > 0\"}\n\n\nEquality on arrays with list + type of 'set' or 'map' ignores element order, + i.e. [1, 2] == [2, 1].\nConcatenation on arrays with x-kubernetes-list-type use the - semantics of the list type: - 'set': `X - + Y` performs a union where the array positions - of all elements in `X` are preserved and - non-intersecting elements in `Y` are appended, - retaining their partial order. - 'map': - `X + Y` performs a merge where the array - positions of all keys in `X` are preserved - but the values are overwritten by values - in `Y` when the key sets of `X` and `Y` - intersect. Elements in `Y` with non-intersecting - keys are appended, retaining their partial - order. Required." + semantics of the list type:\n - 'set': + `X + Y` performs a union where the array + positions of all elements in `X` are preserved + and\n non-intersecting elements in `Y` + are appended, retaining their partial order.\n + \ - 'map': `X + Y` performs a merge where + the array positions of all keys in `X` are + preserved but the values\n are overwritten + by values in `Y` when the key sets of `X` + and `Y` intersect. Elements in `Y` with\n + \ non-intersecting keys are appended, + retaining their partial order.\nRequired." type: string message: - description: 'Message represents the message - displayed when validation fails. The message - is required if the Expression contains line - breaks. The message must not contain line - breaks. If unset, the message is "failed - rule: {Rule}". e.g. "must be a URL with - the host matching spec.host" If the Expression - contains line breaks. Message is required. + description: |- + Message represents the message displayed when validation fails. The message is required if the Expression contains + line breaks. The message must not contain line breaks. + If unset, the message is "failed rule: {Rule}". + e.g. "must be a URL with the host matching spec.host" + If the Expression contains line breaks. Message is required. The message must not contain line breaks. - If unset, the message is "failed Expression: - {Expression}".' + If unset, the message is "failed Expression: {Expression}". type: string messageExpression: - description: 'messageExpression declares a - CEL expression that evaluates to the validation - failure message that is returned when this - rule fails. Since messageExpression is used - as a failure message, it must evaluate to - a string. If both message and messageExpression - are present on a validation, then messageExpression - will be used if validation fails. If messageExpression - results in a runtime error, the runtime - error is logged, and the validation failure - message is produced as if the messageExpression - field were unset. If messageExpression evaluates - to an empty string, a string with only spaces, - or a string that contains line breaks, then - the validation failure message will also - be produced as if the messageExpression - field were unset, and the fact that messageExpression - produced an empty string/string with only - spaces/string with line breaks will be logged. - messageExpression has access to all the - same variables as the `expression` except - for ''authorizer'' and ''authorizer.requestResource''. - Example: "object.x must be less than max - ("+string(params.max)+")"' + description: |- + messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. + Since messageExpression is used as a failure message, it must evaluate to a string. + If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. + If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced + as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string + that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and + the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. + messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'. + Example: + "object.x must be less than max ("+string(params.max)+")" type: string reason: - description: 'Reason represents a machine-readable - description of why this validation failed. - If this is the first validation in the list - to fail, this reason, as well as the corresponding - HTTP response code, are used in the HTTP - response to the client. The currently supported - reasons are: "Unauthorized", "Forbidden", - "Invalid", "RequestEntityTooLarge". If not - set, StatusReasonInvalid is used in the - response to the client.' + description: |- + Reason represents a machine-readable description of why this validation failed. + If this is the first validation in the list to fail, this reason, as well as the + corresponding HTTP response code, are used in the + HTTP response to the client. + The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge". + If not set, StatusReasonInvalid is used in the response to the client. type: string required: - expression @@ -7135,13 +6502,15 @@ spec: and Version. properties: apiVersion: - description: APIVersion is the API group version - the resources belong to. In format of "group/version". + description: |- + APIVersion is the API group version the resources belong to. + In format of "group/version". Required. type: string kind: - description: Kind is the API kind the resources - belong to. Required. + description: |- + Kind is the API kind the resources belong to. + Required. type: string type: object x-kubernetes-map-type: atomic @@ -7149,82 +6518,83 @@ spec: description: ParamRef references a parameter resource. properties: name: - description: "`name` is the name of the resource - being referenced. \n `name` and `selector` - are mutually exclusive properties. If one - is set, the other must be unset." + description: |- + `name` is the name of the resource being referenced. + + + `name` and `selector` are mutually exclusive properties. If one is set, + the other must be unset. type: string namespace: - description: "namespace is the namespace of - the referenced resource. Allows limiting the - search for params to a specific namespace. - Applies to both `name` and `selector` fields. - \n A per-namespace parameter may be used by - specifying a namespace-scoped `paramKind` - in the policy and leaving this field empty. - \n - If `paramKind` is cluster-scoped, this - field MUST be unset. Setting this field results - in a configuration error. \n - If `paramKind` - is namespace-scoped, the namespace of the - object being evaluated for admission will - be used when this field is left unset. Take - care that if this is left empty the binding - must not match any cluster-scoped resources, - which will result in an error." + description: |- + namespace is the namespace of the referenced resource. Allows limiting + the search for params to a specific namespace. Applies to both `name` and + `selector` fields. + + + A per-namespace parameter may be used by specifying a namespace-scoped + `paramKind` in the policy and leaving this field empty. + + + - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this + field results in a configuration error. + + + - If `paramKind` is namespace-scoped, the namespace of the object being + evaluated for admission will be used when this field is left unset. Take + care that if this is left empty the binding must not match any cluster-scoped + resources, which will result in an error. type: string parameterNotFoundAction: - description: "`parameterNotFoundAction` controls - the behavior of the binding when the resource - exists, and name or selector is valid, but - there are no parameters matched by the binding. - If the value is set to `Allow`, then no matched - parameters will be treated as successful validation - by the binding. If set to `Deny`, then no - matched parameters will be subject to the - `failurePolicy` of the policy. \n Allowed - values are `Allow` or `Deny` Default to `Deny`" + description: |- + `parameterNotFoundAction` controls the behavior of the binding when the resource + exists, and name or selector is valid, but there are no parameters + matched by the binding. If the value is set to `Allow`, then no + matched parameters will be treated as successful validation by the binding. + If set to `Deny`, then no matched parameters will be subject to the + `failurePolicy` of the policy. + + + Allowed values are `Allow` or `Deny` + Default to `Deny` type: string selector: - description: "selector can be used to match - multiple param objects based on their labels. - Supply selector: {} to match all resources - of the ParamKind. \n If multiple params are - found, they are all evaluated with the policy - expressions and the results are ANDed together. - \n One of `name` or `selector` must be set, - but `name` and `selector` are mutually exclusive - properties. If one is set, the other must - be unset." + description: |- + selector can be used to match multiple param objects based on their labels. + Supply selector: {} to match all resources of the ParamKind. + + + If multiple params are found, they are all evaluated with the policy expressions + and the results are ANDed together. + + + One of `name` or `selector` must be set, but `name` and `selector` are + mutually exclusive properties. If one is set, the other must be unset. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -7236,41 +6606,34 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object x-kubernetes-map-type: atomic variables: - description: Variables contain definitions of variables - that can be used in composition of other expressions. + description: |- + Variables contain definitions of variables that can be used in composition of other expressions. Each variable is defined as a named CEL expression. - The variables defined here will be available under - `variables` in other expressions of the policy. + The variables defined here will be available under `variables` in other expressions of the policy. items: description: Variable is the definition of a variable that is used for composition. properties: expression: - description: Expression is the expression - that will be evaluated as the value of the - variable. The CEL expression has access - to the same identifiers as the CEL expressions - in Validation. + description: |- + Expression is the expression that will be evaluated as the value of the variable. + The CEL expression has access to the same identifiers as the CEL expressions in Validation. type: string name: - description: Name is the name of the variable. - The name must be a valid CEL identifier - and unique among all variables. The variable - can be accessed in other expressions through - `variables` For example, if name is "foo", - the variable will be available as `variables.foo` + description: |- + Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables. + The variable can be accessed in other expressions through `variables` + For example, if name is "foo", the variable will be available as `variables.foo` type: string required: - expression @@ -7283,12 +6646,11 @@ spec: fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct list - of conditions (without `any` or `all` statements) - is also supported for backwards compatibility + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object foreach: @@ -7303,24 +6665,22 @@ spec: apply the specified logic. properties: anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must - be satisfied for the validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true context: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST @@ -7343,15 +6703,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -7366,25 +6723,23 @@ spec: to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web - service URL. A typical form is + description: |- + URL is the JSON web service URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string @@ -7404,9 +6759,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials @@ -7418,11 +6773,9 @@ spec: allows insecure access to a registry. type: boolean providers: - description: 'Providers specifies - a list of OCI Registry names, - whose authentication providers - are provided. It can be of one - of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -7436,25 +6789,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a - list of secrets that are provided - for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -7468,15 +6819,14 @@ spec: defined inline. properties: default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary @@ -7491,48 +6841,44 @@ spec: or fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct - list of conditions (without `any` or `all` - statements) is also supported for backwards - compatibility but will be deprecated in - the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object elementScope: - description: ElementScope specifies whether to - use the current list element as the scope for - validation. Defaults to "true" if not specified. - When set to "false", "request.object" is used - as the validation scope within the foreach block - to allow referencing other elements in the subtree. + description: |- + ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified. + When set to "false", "request.object" is used as the validation scope within the foreach + block to allow referencing other elements in the subtree. type: boolean foreach: description: Foreach declares a nested foreach iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which - the validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string pattern: description: Pattern specifies an overlay-style pattern used to check resources. x-kubernetes-preserve-unknown-fields: true preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -7547,14 +6893,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -7574,20 +6917,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -7602,14 +6943,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -7629,10 +6967,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -7655,31 +6992,25 @@ spec: items: properties: count: - description: Count specifies the required - number of entries that must match. If the - count is null, all entries must match (a - logical AND). If the count is 1, at least - one entry must match (a logical OR). If - the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or - a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set @@ -7700,21 +7031,14 @@ spec: used to verify. type: string ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -7722,36 +7046,25 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -7762,9 +7075,9 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless - attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: additionalProperties: @@ -7774,21 +7087,14 @@ spec: for keyless signing. type: object ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -7796,15 +7102,10 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -7812,24 +7113,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -7839,10 +7134,9 @@ spec: type: string type: object roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, - the system roots are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -7855,21 +7149,14 @@ spec: public keys. properties: ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -7877,63 +7164,41 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI - to the public key stored in a - Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable - reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -7969,12 +7234,9 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository - will override other OCI image repository - locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -8015,10 +7277,9 @@ spec: type: object type: array repository: - description: Repository is an optional alternate - OCI repository to use for resource bundle reference. - The repository can be overridden per Attestor - or Attestation. + description: |- + Repository is an optional alternate OCI repository to use for resource bundle reference. + The repository can be overridden per Attestor or Attestation. type: string type: object message: @@ -8030,9 +7291,9 @@ spec: used to check resources. x-kubernetes-preserve-unknown-fields: true podSecurity: - description: PodSecurity applies exemptions for Kubernetes - Pod Security admission by specifying exclusions for - Pod Security Standards controls. + description: |- + PodSecurity applies exemptions for Kubernetes Pod Security admission + by specifying exclusions for Pod Security Standards controls. properties: exclude: description: Exclude specifies the Pod Security @@ -8042,9 +7303,9 @@ spec: Pod Security Standard controls to be excluded. properties: controlName: - description: 'ControlName specifies the name - of the Pod Security Standard control. See: - https://kubernetes.io/docs/concepts/security/pod-security-standards/' + description: |- + ControlName specifies the name of the Pod Security Standard control. + See: https://kubernetes.io/docs/concepts/security/pod-security-standards/ enum: - HostProcess - Host Namespaces @@ -8063,14 +7324,11 @@ spec: - Running as Non-root user type: string images: - description: 'Images selects matching containers - and applies the container level PSS. Each - image is the image name consisting of the - registry address, repository, image, and - tag. Empty list matches no containers, PSS - checks are applied at the pod level only. - Wildcards (''*'' and ''?'') are allowed. - See: https://kubernetes.io/docs/concepts/containers/images.' + description: |- + Images selects matching containers and applies the container level PSS. + Each image is the image name consisting of the registry address, repository, image, and tag. + Empty list matches no containers, PSS checks are applied at the pod level only. + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -8079,19 +7337,18 @@ spec: type: object type: array level: - description: Level defines the Pod Security Standard - level to be applied to workloads. Allowed values - are privileged, baseline, and restricted. + description: |- + Level defines the Pod Security Standard level to be applied to workloads. + Allowed values are privileged, baseline, and restricted. enum: - privileged - baseline - restricted type: string version: - description: Version defines the Pod Security Standard - versions that Kubernetes supports. Allowed values - are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, - v1.25, v1.26, latest. Defaults to latest. + description: |- + Version defines the Pod Security Standard versions that Kubernetes supports. + Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, latest. Defaults to latest. enum: - v1.19 - v1.20 @@ -8109,10 +7366,10 @@ spec: description: VerifyImages is used to verify image signatures and mutate them to add a digest items: - description: ImageVerification validates that images that - match the specified pattern are signed with the supplied - public key. Once the image is verified it is mutated - to include the SHA digest retrieved during the registration. + description: |- + ImageVerification validates that images that match the specified pattern + are signed with the supplied public key. Once the image is verified it is + mutated to include the SHA digest retrieved during the registration. properties: additionalExtensions: additionalProperties: @@ -8126,17 +7383,15 @@ spec: instead. type: object attestations: - description: Attestations are optional checks for - signed in-toto Statements used to verify the image. - See https://github.com/in-toto/attestation. Kyverno - fetches signed attestations from the OCI registry - and decodes them into a list of Statement declarations. + description: |- + Attestations are optional checks for signed in-toto Statements used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statement declarations. items: - description: Attestation are checks for signed in-toto - Statements that are used to verify the image. - See https://github.com/in-toto/attestation. Kyverno - fetches signed attestations from the OCI registry - and decodes them into a list of Statements. + description: |- + Attestation are checks for signed in-toto Statements that are used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statements. properties: attestors: description: Attestors specify the required @@ -8144,33 +7399,25 @@ spec: items: properties: count: - description: Count specifies the required - number of entries that must match. If - the count is null, all entries must - match (a logical AND). If the count - is 1, at least one entry must match - (a logical OR). If the count contains - a value N, then N must be less than - or equal to the size of entries, and - at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static - key, attributes for keyless verification, - or a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used - for image verification. Every - specified key-value pair must - exist and match in the verified - payload. The payload may contain - other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested @@ -8191,23 +7438,14 @@ spec: certificates used to verify. type: string ctlog: - description: CTLog (certificate - timestamp log) provides a - configuration for validation - of Signed Certificate Timestamps - (SCTs). If the value is unset, - the default behavior by Cosign - is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp - (SCT) log to check for - a certificate timestamp. - Default is false. Set - to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if @@ -8216,27 +7454,16 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, - if set, is the PEM-encoded - certificate chain file - for the RFC3161 timestamp - authority. Must contain - the root CA certificate. - Optionally may contain - intermediate CA certificates, - and may contain the leaf - TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If an empty object is provided - the public instance of Rekor - (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog @@ -8244,13 +7471,9 @@ spec: verification. type: boolean pubkey: - description: RekorPubKey - is an optional PEM-encoded - public key to use for - a custom Rekor. If set, - this will be used to validate - transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the @@ -8261,9 +7484,9 @@ spec: type: object type: object keyless: - description: Keyless is a set of - attribute used to verify a Sigstore - keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: additionalProperties: @@ -8273,23 +7496,14 @@ spec: used for keyless signing. type: object ctlog: - description: CTLog (certificate - timestamp log) provides a - configuration for validation - of Signed Certificate Timestamps - (SCTs). If the value is unset, - the default behavior by Cosign - is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp - (SCT) log to check for - a certificate timestamp. - Default is false. Set - to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if @@ -8298,17 +7512,10 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, - if set, is the PEM-encoded - certificate chain file - for the RFC3161 timestamp - authority. Must contain - the root CA certificate. - Optionally may contain - intermediate CA certificates, - and may contain the leaf - TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -8316,13 +7523,9 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If an empty object is provided - the public instance of Rekor - (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog @@ -8330,13 +7533,9 @@ spec: verification. type: boolean pubkey: - description: RekorPubKey - is an optional PEM-encoded - public key to use for - a custom Rekor. If set, - this will be used to validate - transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the @@ -8346,11 +7545,9 @@ spec: type: string type: object roots: - description: Roots is an optional - set of PEM encoded trusted - root certificates. If not - provided, the system roots - are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the @@ -8364,23 +7561,14 @@ spec: or more public keys. properties: ctlog: - description: CTLog (certificate - timestamp log) provides a - configuration for validation - of Signed Certificate Timestamps - (SCTs). If the value is unset, - the default behavior by Cosign - is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp - (SCT) log to check for - a certificate timestamp. - Default is false. Set - to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if @@ -8389,56 +7577,32 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, - if set, is the PEM-encoded - certificate chain file - for the RFC3161 timestamp - authority. Must contain - the root CA certificate. - Optionally may contain - intermediate CA certificates, - and may contain the leaf - TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the - URI to the public key stored - in a Key Management System. - See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of - X.509 public keys used to - verify image signatures. The - keys can be directly specified - or can be a variable reference - to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a - separate staticKey entry (.attestors[*].entries.keys) - within the set of attestors - and the count is applied across - the keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If an empty object is provided - the public instance of Rekor - (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog @@ -8446,13 +7610,9 @@ spec: verification. type: boolean pubkey: - description: RekorPubKey - is an optional PEM-encoded - public key to use for - a custom Rekor. If set, - this will be used to validate - transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the @@ -8489,40 +7649,30 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use - for signatures and attestations - that match this rule. If specified - Repository will override other - OCI image repository locations - for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array type: object type: array conditions: - description: Conditions are used to verify attributes - within a Predicate. If no Conditions are specified - the attestation check is satisfied as long - there are predicates that match the predicate - type. + description: |- + Conditions are used to verify attributes within a Predicate. If no Conditions are specified + the attestation check is satisfied as long there are predicates that match the predicate type. items: - description: AnyAllConditions consists of - conditions wrapped denoting a logical criteria - to be fulfilled. AnyConditions get fulfilled - when at least one of its sub-conditions - passes. AllConditions get fulfilled only - when all of its sub-conditions pass. + description: |- + AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled. + AnyConditions get fulfilled when at least one of its sub-conditions passes. + AllConditions get fulfilled only when all of its sub-conditions pass. properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is - useful for finer control of when an - rule is applied. A condition can reference - object data using JMESPath notation. - Here, all of the conditions need to - pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -8537,14 +7687,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -8564,21 +7711,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is - useful for finer control of when an - rule is applied. A condition can reference - object data using JMESPath notation. - Here, at least one of the conditions - need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -8593,14 +7737,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -8620,10 +7761,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -8645,31 +7785,25 @@ spec: items: properties: count: - description: Count specifies the required number - of entries that must match. If the count is - null, all entries must match (a logical AND). - If the count is 1, at least one entry must - match (a logical OR). If the count contains - a value N, then N must be less than or equal - to the size of entries, and at least N entries - must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or a - nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set @@ -8690,21 +7824,14 @@ spec: used to verify. type: string ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior by - Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed Certificate - Timestamp (SCT) log to check - for a certificate timestamp. - Default is false. Set to true - if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -8712,35 +7839,25 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the - root CA certificate. Optionally - may contain intermediate CA - certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an - optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used to - validate transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -8751,8 +7868,8 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: @@ -8763,21 +7880,14 @@ spec: for keyless signing. type: object ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior by - Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed Certificate - Timestamp (SCT) log to check - for a certificate timestamp. - Default is false. Set to true - if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -8785,15 +7895,10 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the - root CA certificate. Optionally - may contain intermediate CA - certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -8801,23 +7906,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an - optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used to - validate transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -8827,10 +7927,9 @@ spec: type: string type: object roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, the - system roots are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -8843,21 +7942,14 @@ spec: public keys. properties: ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior by - Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed Certificate - Timestamp (SCT) log to check - for a certificate timestamp. - Default is false. Set to true - if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -8865,61 +7957,41 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the - root CA certificate. Optionally - may contain intermediate CA - certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI - to the public key stored in a Key - Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable reference - to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format "k8s:///". - The named Secret must specify a - key `cosign.pub` containing the - public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an - optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used to - validate transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -8954,12 +8026,9 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository will - override other OCI image repository - locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -8969,13 +8038,11 @@ spec: description: Deprecated. Use ImageReferences instead. type: string imageReferences: - description: 'ImageReferences is a list of matching - image reference patterns. At least one pattern in - the list must match the image for the rule to apply. - Each image reference consists of a registry address - (defaults to docker.io), repository, image, and - tag (defaults to latest). Wildcards (''*'' and ''?'') - are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' + description: |- + ImageReferences is a list of matching image reference patterns. At least one pattern in the + list must match the image for the rule to apply. Each image reference consists of a registry + address (defaults to docker.io), repository, image, and tag (defaults to latest). + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -8988,10 +8055,9 @@ spec: access to a registry. type: boolean providers: - description: 'Providers specifies a list of OCI - Registry names, whose authentication providers - are provided. It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers @@ -9005,9 +8071,9 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets - that are provided for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array @@ -9020,16 +8086,15 @@ spec: type: string mutateDigest: default: true - description: MutateDigest enables replacement of image - tags with digests. Defaults to true. + description: |- + MutateDigest enables replacement of image tags with digests. + Defaults to true. type: boolean repository: - description: Repository is an optional alternate OCI - repository to use for image signatures and attestations - that match this rule. If specified Repository will - override the default OCI image repository configured - for the installation. The repository can also be - overridden per Attestor or Attestation. + description: |- + Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule. + If specified Repository will override the default OCI image repository configured for the installation. + The repository can also be overridden per Attestor or Attestation. type: string required: default: true @@ -9044,9 +8109,9 @@ spec: description: Deprecated. Use KeylessAttestor instead. type: string type: - description: Type specifies the method of signature - validation. The allowed options are Cosign and Notary. - By default Cosign is used if a type is not specified. + description: |- + Type specifies the method of signature validation. The allowed options + are Cosign and Notary. By default Cosign is used if a type is not specified. enum: - Cosign - Notary @@ -9071,42 +8136,42 @@ spec: conditions: items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -9120,11 +8185,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -9140,8 +8206,9 @@ spec: description: Deprecated in favor of Conditions type: boolean rulecount: - description: RuleCountStatus contains four variables which describes - counts for validate, generate, mutate and verify images rules + description: |- + RuleCountStatus contains four variables which describes counts for + validate, generate, mutate and verify images rules properties: generate: description: Count for generate rules in policy @@ -9169,10 +8236,9 @@ spec: policy is generated from the policy or not type: boolean message: - description: Message is a human readable message indicating details - about the generation of validating admission policy It is an - empty string when validating admission policy is successfully - generated. + description: |- + Message is a human readable message indicating details about the generation of validating admission policy + It is an empty string when validating admission policy is successfully generated. type: string required: - generated @@ -9230,19 +8296,24 @@ spec: name: v2beta1 schema: openAPIV3Schema: - description: 'Policy declares validation, mutation, and generation behaviors - for matching resources. See: https://kyverno.io/docs/writing-policies/ for - more information.' + description: |- + Policy declares validation, mutation, and generation behaviors for matching resources. + See: https://kyverno.io/docs/writing-policies/ for more information. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -9251,94 +8322,98 @@ spec: properties: admission: default: true - description: Admission controls if rules are applied during admission. + description: |- + Admission controls if rules are applied during admission. Optional. Default value is "true". type: boolean applyRules: - description: ApplyRules controls how rules in a policy are applied. - Rule are processed in the order of declaration. When set to `One` - processing stops after a rule has been applied i.e. the rule matches - and results in a pass, fail, or error. When set to `All` all rules - in the policy are processed. The default is `All`. + description: |- + ApplyRules controls how rules in a policy are applied. Rule are processed in + the order of declaration. When set to `One` processing stops after a rule has + been applied i.e. the rule matches and results in a pass, fail, or error. When + set to `All` all rules in the policy are processed. The default is `All`. enum: - All - One type: string background: default: true - description: Background controls if rules are applied to existing - resources during a background scan. Optional. Default value is "true". - The value must be set to "false" if the policy rule uses variables - that are only available in the admission review request (e.g. user - name). + description: |- + Background controls if rules are applied to existing resources during a background scan. + Optional. Default value is "true". The value must be set to "false" if the policy rule + uses variables that are only available in the admission review request (e.g. user name). type: boolean failurePolicy: - description: FailurePolicy defines how unexpected policy errors and - webhook response timeout errors are handled. Rules within the same - policy share the same failure behavior. Allowed values are Ignore - or Fail. Defaults to Fail. + description: |- + FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. + Rules within the same policy share the same failure behavior. + Allowed values are Ignore or Fail. Defaults to Fail. enum: - Ignore - Fail type: string generateExisting: - description: GenerateExisting controls whether to trigger generate - rule in existing resources If is set to "true" generate rule will - be triggered and applied to existing matched resources. Defaults - to "false" if not specified. + description: |- + GenerateExisting controls whether to trigger generate rule in existing resources + If is set to "true" generate rule will be triggered and applied to existing matched resources. + Defaults to "false" if not specified. type: boolean generateExistingOnPolicyUpdate: description: Deprecated, use generateExisting instead type: boolean mutateExistingOnPolicyUpdate: - description: MutateExistingOnPolicyUpdate controls if a mutateExisting - policy is applied on policy events. Default value is "false". + description: |- + MutateExistingOnPolicyUpdate controls if a mutateExisting policy is applied on policy events. + Default value is "false". type: boolean rules: - description: Rules is a list of Rule instances. A Policy contains - multiple rules and each rule can validate, mutate, or generate resources. + description: |- + Rules is a list of Rule instances. A Policy contains multiple rules and + each rule can validate, mutate, or generate resources. items: - description: Rule defines a validation, mutation, or generation - control for matching resources. Each rules contains a match declaration - to select resources, and an optional exclude declaration to specify - which resources to exclude. + description: |- + Rule defines a validation, mutation, or generation control for matching resources. + Each rules contains a match declaration to select resources, and an optional exclude + declaration to specify which resources to exclude. properties: celPreconditions: - description: CELPreconditions are used to determine if a policy - rule should be applied by evaluating a set of CEL conditions. - It can only be used with the validate.cel subrule + description: |- + CELPreconditions are used to determine if a policy rule should be applied by evaluating a + set of CEL conditions. It can only be used with the validate.cel subrule items: description: MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook. properties: expression: - description: "Expression represents the expression which - will be evaluated by CEL. Must evaluate to bool. CEL - expressions have access to the contents of the AdmissionRequest - and Authorizer, organized into CEL variables: \n 'object' - - The object from the incoming request. The value is - null for DELETE requests. 'oldObject' - The existing - object. The value is null for CREATE requests. 'request' - - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). - 'authorizer' - A CEL Authorizer. May be used to perform - authorization checks for the principal (user or service - account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - 'authorizer.requestResource' - A CEL ResourceCheck constructed - from the 'authorizer' and configured with the request - resource. Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ - \n Required." + description: |- + Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. + CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: + + + 'object' - The object from the incoming request. The value is null for DELETE requests. + 'oldObject' - The existing object. The value is null for CREATE requests. + 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. + See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the + request resource. + Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ + + + Required. type: string name: - description: "Name is an identifier for this match condition, - used for strategic merging of MatchConditions, as well - as providing an identifier for logging purposes. A good - name should be descriptive of the associated expression. - Name must be a qualified name consisting of alphanumeric - characters, '-', '_' or '.', and must start and end - with an alphanumeric character (e.g. 'MyName', or 'my.name', - \ or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') - with an optional DNS subdomain prefix and '/' (e.g. - 'example.com/MyName') \n Required." + description: |- + Name is an identifier for this match condition, used for strategic merging of MatchConditions, + as well as providing an identifier for logging purposes. A good name should be descriptive of + the associated expression. + Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and + must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or + '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an + optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') + + + Required. type: string required: - expression @@ -9349,15 +8424,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data sources - to a rule Context. Either a ConfigMap reference or a APILookup - must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the Kubernetes - API server, or other JSON web service. The data returned - is stored in the context with the name for the context - entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data sent to @@ -9379,13 +8453,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the JSON response - returned from the server. For example a JMESPath - of "items | length(@)" applied to the API server - response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across - all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -9400,22 +8473,24 @@ spec: service properties: caBundle: - description: CABundle is a PEM encoded CA bundle - which will be used to validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web service URL. - A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to be used in - the HTTP GET or POST request to the Kubernetes API - server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used by the - `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -9432,8 +8507,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests to an OCI/Docker - V2 registry to fetch image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials provides credentials @@ -9444,10 +8520,9 @@ spec: access to a registry. type: boolean providers: - description: 'Providers specifies a list of OCI - Registry names, whose authentication providers - are provided. It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers @@ -9461,21 +8536,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets - that are provided for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the ImageData struct - returned as a result of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference to a container - image in the registry. Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -9488,13 +8565,14 @@ spec: variable that can be defined inline. properties: default: - description: Default is an optional arbitrary JSON - object that the variable may take if the JMESPath + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath Expression - that can be used to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON object representable @@ -9504,10 +8582,10 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when this policy rule - should not be applied. The exclude criteria can include resource - information (e.g. kind, name, namespace, labels) and admission - review request information like the name or role. + description: |- + ExcludeResources defines when this policy rule should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. properties: all: description: All allows specifying resources which will @@ -9529,11 +8607,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -9541,58 +8618,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -9605,20 +8673,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -9638,42 +8703,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -9686,12 +8744,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -9706,32 +8762,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -9762,11 +8813,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -9774,58 +8824,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -9838,20 +8879,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -9871,42 +8909,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -9919,12 +8950,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -9939,32 +8968,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -9983,10 +9007,10 @@ spec: description: APIVersion specifies resource apiVersion. type: string clone: - description: Clone specifies the source resource used to - populate each generated resource. At most one of Data - or Clone can be specified. If neither are provided, the - generated resource will be created with default data only. + description: |- + Clone specifies the source resource used to populate each generated resource. + At most one of Data or Clone can be specified. If neither are provided, the generated + resource will be created with default data only. properties: name: description: Name specifies name of the resource. @@ -10008,34 +9032,33 @@ spec: description: Namespace specifies source resource namespace. type: string selector: - description: Selector is a label selector. Label keys - and values in `matchLabels`. wildcard characters are - not supported. + description: |- + Selector is a label selector. Label keys and values in `matchLabels`. + wildcard characters are not supported. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -10047,21 +9070,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object data: - description: Data provides the resource declaration used - to populate each generated resource. At most one of Data - or Clone must be specified. If neither are provided, the - generated resource will be created with default data only. + description: |- + Data provides the resource declaration used to populate each generated resource. + At most one of Data or Clone must be specified. If neither are provided, the generated + resource will be created with default data only. x-kubernetes-preserve-unknown-fields: true kind: description: Kind specifies resource kind. @@ -10073,12 +9094,11 @@ spec: description: Namespace specifies resource namespace. type: string synchronize: - description: Synchronize controls if generated resources - should be kept in-sync with their source resource. If - Synchronize is set to "true" changes to generated resources - will be overwritten with resource data from Data or the - resource specified in the Clone declaration. Optional. - Defaults to "false" if not specified. + description: |- + Synchronize controls if generated resources should be kept in-sync with their source resource. + If Synchronize is set to "true" changes to generated resources will be overwritten with resource + data from Data or the resource specified in the Clone declaration. + Optional. Defaults to "false" if not specified. type: boolean uid: description: UID specifies the resource uid. @@ -10089,50 +9109,47 @@ spec: items: properties: jmesPath: - description: 'JMESPath is an optional JMESPath expression - to apply to the image value. This is useful when the - extracted image begins with a prefix like ''docker://''. - The ''trim_prefix'' function may be used to trim the - prefix: trim_prefix(@, ''docker://''). Note - Image - digest mutation may not be used when applying a JMESPAth - to an image.' + description: |- + JMESPath is an optional JMESPath expression to apply to the image value. + This is useful when the extracted image begins with a prefix like 'docker://'. + The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://'). + Note - Image digest mutation may not be used when applying a JMESPAth to an image. type: string key: - description: Key is an optional name of the field within - 'path' that will be used to uniquely identify an image. + description: |- + Key is an optional name of the field within 'path' that will be used to uniquely identify an image. Note - this field MUST be unique. type: string name: - description: Name is the entry the image will be available - under 'images.' in the context. If this field - is not defined, image entries will appear under 'images.custom'. + description: |- + Name is the entry the image will be available under 'images.' in the context. + If this field is not defined, image entries will appear under 'images.custom'. type: string path: - description: Path is the path to the object containing - the image field in a custom resource. It should be - slash-separated. Each slash-separated key must be - a valid YAML key or a wildcard '*'. Wildcard keys - are expanded in case of arrays or objects. + description: |- + Path is the path to the object containing the image field in a custom resource. + It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'. + Wildcard keys are expanded in case of arrays or objects. type: string value: - description: Value is an optional name of the field - within 'path' that points to the image URI. This is - useful when a custom 'key' is also defined. + description: |- + Value is an optional name of the field within 'path' that points to the image URI. + This is useful when a custom 'key' is also defined. type: string required: - path type: object type: array - description: ImageExtractors defines a mapping from kinds to - ImageExtractorConfigs. This config is only valid for verifyImages - rules. + description: |- + ImageExtractors defines a mapping from kinds to ImageExtractorConfigs. + This config is only valid for verifyImages rules. type: object match: - description: MatchResources defines when this policy rule should - be applied. The match criteria can include resource information - (e.g. kind, name, namespace, labels) and admission review - request information like the user name or role. At least one - kind is required. + description: |- + MatchResources defines when this policy rule should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. + At least one kind is required. properties: all: description: All allows specifying resources which will @@ -10154,11 +9171,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -10166,58 +9182,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -10230,20 +9237,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -10263,42 +9267,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -10311,12 +9308,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -10331,32 +9326,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -10387,11 +9377,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -10399,58 +9388,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -10463,20 +9443,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -10496,42 +9473,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -10544,12 +9514,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -10564,32 +9532,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -10618,15 +9581,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data @@ -10648,14 +9610,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -10670,25 +9630,24 @@ spec: JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate the server certificate. type: string url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -10706,8 +9665,8 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. properties: imageRegistryCredentials: @@ -10720,11 +9679,9 @@ spec: insecure access to a registry. type: boolean providers: - description: 'Providers specifies a - list of OCI Registry names, whose - authentication providers are provided. - It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -10738,23 +9695,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list - of secrets that are provided for credentials. + description: |- + Secrets specifies a list of secrets that are provided for credentials. Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -10767,15 +9724,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON @@ -10788,42 +9744,41 @@ spec: description: Foreach declares a nested foreach iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which the - validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string order: - description: Order defines the iteration order on - the list. Can be Ascending to iterate from first - to last element or Descending to iterate in from - last to first element. + description: |- + Order defines the iteration order on the list. + Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element. enum: - Ascending - Descending type: string patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge - patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 - JSON Patch declarations used to modify resources. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, all of the conditions need to - pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -10837,13 +9792,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -10863,20 +9816,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, at least one of the conditions - need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -10890,13 +9841,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -10916,10 +9865,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -10928,14 +9876,15 @@ spec: type: object type: array patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge patch - used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON - Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string targets: description: Targets defines the target resources to be @@ -10951,15 +9900,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data @@ -10981,14 +9929,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -11003,25 +9949,24 @@ spec: JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate the server certificate. type: string url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -11039,8 +9984,8 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. properties: imageRegistryCredentials: @@ -11053,11 +9998,9 @@ spec: insecure access to a registry. type: boolean providers: - description: 'Providers specifies a - list of OCI Registry names, whose - authentication providers are provided. - It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -11071,23 +10014,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list - of secrets that are provided for credentials. + description: |- + Secrets specifies a list of secrets that are provided for credentials. Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -11100,15 +10043,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON @@ -11127,13 +10069,12 @@ spec: description: Namespace specifies resource namespace. type: string preconditions: - description: 'Preconditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. A direct list - of conditions (without `any` or `all` statements - is supported for backwards compatibility but will - be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true uid: description: UID specifies the resource uid. @@ -11147,17 +10088,17 @@ spec: maxLength: 63 type: string preconditions: - description: 'Preconditions are used to determine if a policy - rule should be applied by evaluating a set of conditions. - The declaration can contain nested `any` or `all` statements. - See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based conditional - rule execution. This is useful for finer control of when - an rule is applied. A condition can reference object data - using JMESPath notation. Here, all of the conditions need - to pass. + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass. items: properties: key: @@ -11168,11 +10109,11 @@ spec: description: Message is an optional display message type: string operator: - description: 'Operator is the conditional operation - to perform. Valid operators are: Equals, NotEquals, - In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -11190,18 +10131,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, or set - of values. The values can be fixed set or can be - variables declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based conditional - rule execution. This is useful for finer control of when - an rule is applied. A condition can reference object data - using JMESPath notation. Here, at least one of the conditions - need to pass. + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass. items: properties: key: @@ -11212,11 +10153,11 @@ spec: description: Message is an optional display message type: string operator: - description: 'Operator is the conditional operation - to perform. Valid operators are: Equals, NotEquals, - In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -11234,27 +10175,27 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, or set - of values. The values can be fixed set or can be - variables declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array type: object skipBackgroundRequests: default: true - description: SkipBackgroundRequests bypasses admission requests - that are sent by the background controller. The default value - is set to "true", it must be set to "false" to apply generate - and mutateExisting rules to those requests. + description: |- + SkipBackgroundRequests bypasses admission requests that are sent by the background controller. + The default value is set to "true", it must be set to "false" to apply + generate and mutateExisting rules to those requests. type: boolean validate: description: Validation is used to validate matching resources. properties: anyPattern: - description: AnyPattern specifies list of validation patterns. - At least one of the patterns must be satisfied for the - validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true cel: description: CEL allows validation checks using the Common @@ -11269,39 +10210,45 @@ spec: an audit annotation for an API request. properties: key: - description: "key specifies the audit annotation - key. The audit annotation keys of a ValidatingAdmissionPolicy - must be unique. The key must be a qualified - name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than - 63 bytes in length. \n The key is combined with - the resource name of the ValidatingAdmissionPolicy - to construct an audit annotation key: \"{ValidatingAdmissionPolicy - name}/{key}\". \n If an admission webhook uses - the same resource name as this ValidatingAdmissionPolicy - and the same audit annotation key, the annotation - key will be identical. In this case, the first - annotation written with the key will be included - in the audit event and all subsequent annotations - with the same key will be discarded. \n Required." + description: |- + key specifies the audit annotation key. The audit annotation keys of + a ValidatingAdmissionPolicy must be unique. The key must be a qualified + name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length. + + + The key is combined with the resource name of the + ValidatingAdmissionPolicy to construct an audit annotation key: + "{ValidatingAdmissionPolicy name}/{key}". + + + If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy + and the same audit annotation key, the annotation key will be identical. + In this case, the first annotation written with the key will be included + in the audit event and all subsequent annotations with the same key + will be discarded. + + + Required. type: string valueExpression: - description: "valueExpression represents the expression - which is evaluated by CEL to produce an audit - annotation value. The expression must evaluate - to either a string or null value. If the expression - evaluates to a string, the audit annotation - is included with the string value. If the expression - evaluates to null or empty string the audit - annotation will be omitted. The valueExpression - may be no longer than 5kb in length. If the - result of the valueExpression is more than 10kb - in length, it will be truncated to 10kb. \n - If multiple ValidatingAdmissionPolicyBinding - resources match an API request, then the valueExpression - will be evaluated for each binding. All unique - values produced by the valueExpressions will - be joined together in a comma-separated list. - \n Required." + description: |- + valueExpression represents the expression which is evaluated by CEL to + produce an audit annotation value. The expression must evaluate to either + a string or null value. If the expression evaluates to a string, the + audit annotation is included with the string value. If the expression + evaluates to null or empty string the audit annotation will be omitted. + The valueExpression may be no longer than 5kb in length. + If the result of the valueExpression is more than 10kb in length, it + will be truncated to 10kb. + + + If multiple ValidatingAdmissionPolicyBinding resources match an + API request, then the valueExpression will be evaluated for + each binding. All unique values produced by the valueExpressions + will be joined together in a comma-separated list. + + + Required. type: string required: - key @@ -11317,113 +10264,99 @@ spec: properties: expression: description: "Expression represents the expression - which will be evaluated by CEL. ref: https://github.com/google/cel-spec - CEL expressions have access to the contents - of the API request/response, organized into - CEL variables as well as some other useful variables: - \n - 'object' - The object from the incoming - request. The value is null for DELETE requests. - - 'oldObject' - The existing object. The value - is null for CREATE requests. - 'request' - Attributes - of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - - 'params' - Parameter resource referred to - by the policy binding being evaluated. Only - populated if the policy has a ParamKind. - 'namespaceObject' + which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL + expressions have access to the contents of the + API request/response, organized into CEL variables + as well as some other useful variables:\n\n\n- + 'object' - The object from the incoming request. + The value is null for DELETE requests.\n- 'oldObject' + - The existing object. The value is null for + CREATE requests.\n- 'request' - Attributes of + the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- + 'params' - Parameter resource referred to by + the policy binding being evaluated. Only populated + if the policy has a ParamKind.\n- 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped - resources. - 'variables' - Map of composited + resources.\n- 'variables' - Map of composited variables, from its name to its lazily evaluated - value. For example, a variable named 'foo' can - be accessed as 'variables.foo'. - 'authorizer' + value.\n For example, a variable named 'foo' + can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) - of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - - 'authorizer.requestResource' - A CEL ResourceCheck + of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured - with the request resource. \n The `apiVersion`, + with the\n request resource.\n\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` - are always accessible from the root of the object. - No other metadata properties are accessible. - \n Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` - are accessible. Accessible property names are + are always accessible from the root of the\nobject. + No other metadata properties are accessible.\n\n\nOnly + property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` + are accessible.\nAccessible property names are escaped according to the following rules when - accessed in the expression: - '__' escapes to - '__underscores__' - '.' escapes to '__dot__' - - '-' escapes to '__dash__' - '/' escapes to - '__slash__' - Property names that exactly match + accessed in the expression:\n- '__' escapes + to '__underscores__'\n- '.' escapes to '__dot__'\n- + '-' escapes to '__dash__'\n- '/' escapes to + '__slash__'\n- Property names that exactly match a CEL RESERVED keyword escape to '__{keyword}__'. - The keywords are: \"true\", \"false\", \"null\", - \"in\", \"as\", \"break\", \"const\", \"continue\", - \"else\", \"for\", \"function\", \"if\", \"import\", - \"let\", \"loop\", \"package\", \"namespace\", - \"return\". Examples: - Expression accessing - a property named \"namespace\": {\"Expression\": - \"object.__namespace__ > 0\"} - Expression accessing - a property named \"x-prop\": {\"Expression\": - \"object.x__dash__prop > 0\"} - Expression accessing - a property named \"redact__d\": {\"Expression\": - \"object.redact__underscores__d > 0\"} \n Equality - on arrays with list type of 'set' or 'map' ignores - element order, i.e. [1, 2] == [2, 1]. Concatenation - on arrays with x-kubernetes-list-type use the - semantics of the list type: - 'set': `X + Y` - performs a union where the array positions of - all elements in `X` are preserved and non-intersecting + The keywords are:\n\t \"true\", \"false\", + \"null\", \"in\", \"as\", \"break\", \"const\", + \"continue\", \"else\", \"for\", \"function\", + \"if\",\n\t \"import\", \"let\", \"loop\", + \"package\", \"namespace\", \"return\".\nExamples:\n + \ - Expression accessing a property named \"namespace\": + {\"Expression\": \"object.__namespace__ > 0\"}\n + \ - Expression accessing a property named \"x-prop\": + {\"Expression\": \"object.x__dash__prop > 0\"}\n + \ - Expression accessing a property named \"redact__d\": + {\"Expression\": \"object.redact__underscores__d + > 0\"}\n\n\nEquality on arrays with list type + of 'set' or 'map' ignores element order, i.e. + [1, 2] == [2, 1].\nConcatenation on arrays with + x-kubernetes-list-type use the semantics of + the list type:\n - 'set': `X + Y` performs + a union where the array positions of all elements + in `X` are preserved and\n non-intersecting elements in `Y` are appended, retaining their - partial order. - 'map': `X + Y` performs a merge - where the array positions of all keys in `X` - are preserved but the values are overwritten - by values in `Y` when the key sets of `X` and - `Y` intersect. Elements in `Y` with non-intersecting - keys are appended, retaining their partial order. - Required." + partial order.\n - 'map': `X + Y` performs + a merge where the array positions of all keys + in `X` are preserved but the values\n are + overwritten by values in `Y` when the key sets + of `X` and `Y` intersect. Elements in `Y` with\n + \ non-intersecting keys are appended, retaining + their partial order.\nRequired." type: string message: - description: 'Message represents the message displayed - when validation fails. The message is required - if the Expression contains line breaks. The - message must not contain line breaks. If unset, - the message is "failed rule: {Rule}". e.g. "must - be a URL with the host matching spec.host" If - the Expression contains line breaks. Message - is required. The message must not contain line - breaks. If unset, the message is "failed Expression: - {Expression}".' + description: |- + Message represents the message displayed when validation fails. The message is required if the Expression contains + line breaks. The message must not contain line breaks. + If unset, the message is "failed rule: {Rule}". + e.g. "must be a URL with the host matching spec.host" + If the Expression contains line breaks. Message is required. + The message must not contain line breaks. + If unset, the message is "failed Expression: {Expression}". type: string messageExpression: - description: 'messageExpression declares a CEL - expression that evaluates to the validation - failure message that is returned when this rule - fails. Since messageExpression is used as a - failure message, it must evaluate to a string. - If both message and messageExpression are present - on a validation, then messageExpression will - be used if validation fails. If messageExpression - results in a runtime error, the runtime error - is logged, and the validation failure message - is produced as if the messageExpression field - were unset. If messageExpression evaluates to - an empty string, a string with only spaces, - or a string that contains line breaks, then - the validation failure message will also be - produced as if the messageExpression field were - unset, and the fact that messageExpression produced - an empty string/string with only spaces/string - with line breaks will be logged. messageExpression - has access to all the same variables as the - `expression` except for ''authorizer'' and ''authorizer.requestResource''. - Example: "object.x must be less than max ("+string(params.max)+")"' + description: |- + messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. + Since messageExpression is used as a failure message, it must evaluate to a string. + If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. + If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced + as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string + that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and + the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. + messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'. + Example: + "object.x must be less than max ("+string(params.max)+")" type: string reason: - description: 'Reason represents a machine-readable - description of why this validation failed. If - this is the first validation in the list to - fail, this reason, as well as the corresponding - HTTP response code, are used in the HTTP response - to the client. The currently supported reasons - are: "Unauthorized", "Forbidden", "Invalid", - "RequestEntityTooLarge". If not set, StatusReasonInvalid - is used in the response to the client.' + description: |- + Reason represents a machine-readable description of why this validation failed. + If this is the first validation in the list to fail, this reason, as well as the + corresponding HTTP response code, are used in the + HTTP response to the client. + The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge". + If not set, StatusReasonInvalid is used in the response to the client. type: string required: - expression @@ -11434,13 +10367,15 @@ spec: Version. properties: apiVersion: - description: APIVersion is the API group version - the resources belong to. In format of "group/version". + description: |- + APIVersion is the API group version the resources belong to. + In format of "group/version". Required. type: string kind: - description: Kind is the API kind the resources - belong to. Required. + description: |- + Kind is the API kind the resources belong to. + Required. type: string type: object x-kubernetes-map-type: atomic @@ -11448,77 +10383,82 @@ spec: description: ParamRef references a parameter resource. properties: name: - description: "`name` is the name of the resource - being referenced. \n `name` and `selector` are - mutually exclusive properties. If one is set, - the other must be unset." + description: |- + `name` is the name of the resource being referenced. + + + `name` and `selector` are mutually exclusive properties. If one is set, + the other must be unset. type: string namespace: - description: "namespace is the namespace of the - referenced resource. Allows limiting the search - for params to a specific namespace. Applies to - both `name` and `selector` fields. \n A per-namespace - parameter may be used by specifying a namespace-scoped - `paramKind` in the policy and leaving this field - empty. \n - If `paramKind` is cluster-scoped, - this field MUST be unset. Setting this field results - in a configuration error. \n - If `paramKind` - is namespace-scoped, the namespace of the object - being evaluated for admission will be used when - this field is left unset. Take care that if this - is left empty the binding must not match any cluster-scoped - resources, which will result in an error." + description: |- + namespace is the namespace of the referenced resource. Allows limiting + the search for params to a specific namespace. Applies to both `name` and + `selector` fields. + + + A per-namespace parameter may be used by specifying a namespace-scoped + `paramKind` in the policy and leaving this field empty. + + + - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this + field results in a configuration error. + + + - If `paramKind` is namespace-scoped, the namespace of the object being + evaluated for admission will be used when this field is left unset. Take + care that if this is left empty the binding must not match any cluster-scoped + resources, which will result in an error. type: string parameterNotFoundAction: - description: "`parameterNotFoundAction` controls - the behavior of the binding when the resource - exists, and name or selector is valid, but there - are no parameters matched by the binding. If the - value is set to `Allow`, then no matched parameters - will be treated as successful validation by the - binding. If set to `Deny`, then no matched parameters - will be subject to the `failurePolicy` of the - policy. \n Allowed values are `Allow` or `Deny` - Default to `Deny`" + description: |- + `parameterNotFoundAction` controls the behavior of the binding when the resource + exists, and name or selector is valid, but there are no parameters + matched by the binding. If the value is set to `Allow`, then no + matched parameters will be treated as successful validation by the binding. + If set to `Deny`, then no matched parameters will be subject to the + `failurePolicy` of the policy. + + + Allowed values are `Allow` or `Deny` + Default to `Deny` type: string selector: - description: "selector can be used to match multiple - param objects based on their labels. Supply selector: - {} to match all resources of the ParamKind. \n - If multiple params are found, they are all evaluated - with the policy expressions and the results are - ANDed together. \n One of `name` or `selector` - must be set, but `name` and `selector` are mutually - exclusive properties. If one is set, the other - must be unset." + description: |- + selector can be used to match multiple param objects based on their labels. + Supply selector: {} to match all resources of the ParamKind. + + + If multiple params are found, they are all evaluated with the policy expressions + and the results are ANDed together. + + + One of `name` or `selector` must be set, but `name` and `selector` are + mutually exclusive properties. If one is set, the other must be unset. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -11531,40 +10471,34 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object x-kubernetes-map-type: atomic variables: - description: Variables contain definitions of variables - that can be used in composition of other expressions. + description: |- + Variables contain definitions of variables that can be used in composition of other expressions. Each variable is defined as a named CEL expression. - The variables defined here will be available under - `variables` in other expressions of the policy. + The variables defined here will be available under `variables` in other expressions of the policy. items: description: Variable is the definition of a variable that is used for composition. properties: expression: - description: Expression is the expression that - will be evaluated as the value of the variable. - The CEL expression has access to the same identifiers - as the CEL expressions in Validation. + description: |- + Expression is the expression that will be evaluated as the value of the variable. + The CEL expression has access to the same identifiers as the CEL expressions in Validation. type: string name: - description: Name is the name of the variable. - The name must be a valid CEL identifier and - unique among all variables. The variable can - be accessed in other expressions through `variables` - For example, if name is "foo", the variable - will be available as `variables.foo` + description: |- + Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables. + The variable can be accessed in other expressions through `variables` + For example, if name is "foo", the variable will be available as `variables.foo` type: string required: - expression @@ -11577,14 +10511,15 @@ spec: a validation rule. properties: conditions: - description: 'Multiple conditions can be declared under - an `any` or `all` statement. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + description: |- + Multiple conditions can be declared under an `any` or `all` statement. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A condition - can reference object data using JMESPath notation. + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. Here, all of the conditions need to pass. items: properties: @@ -11597,13 +10532,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators are: - Equals, NotEquals, In, AnyIn, AllIn, NotIn, - AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -11621,17 +10554,17 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A condition - can reference object data using JMESPath notation. + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. Here, at least one of the conditions need to pass. items: properties: @@ -11644,13 +10577,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators are: - Equals, NotEquals, In, AnyIn, AllIn, NotIn, - AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -11668,9 +10599,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -11687,23 +10618,22 @@ spec: the specified logic. properties: anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must be satisfied - for the validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true context: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data @@ -11725,14 +10655,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -11747,25 +10675,24 @@ spec: JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate the server certificate. type: string url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -11783,8 +10710,8 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. properties: imageRegistryCredentials: @@ -11797,11 +10724,9 @@ spec: insecure access to a registry. type: boolean providers: - description: 'Providers specifies a - list of OCI Registry names, whose - authentication providers are provided. - It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -11815,23 +10740,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list - of secrets that are provided for credentials. + description: |- + Secrets specifies a list of secrets that are provided for credentials. Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -11844,15 +10769,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON @@ -11866,47 +10790,43 @@ spec: or fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct - list of conditions (without `any` or `all` statements) - is also supported for backwards compatibility + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object elementScope: - description: ElementScope specifies whether to use - the current list element as the scope for validation. - Defaults to "true" if not specified. When set to - "false", "request.object" is used as the validation - scope within the foreach block to allow referencing - other elements in the subtree. + description: |- + ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified. + When set to "false", "request.object" is used as the validation scope within the foreach + block to allow referencing other elements in the subtree. type: boolean foreach: description: Foreach declares a nested foreach iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which the - validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string pattern: description: Pattern specifies an overlay-style pattern used to check resources. x-kubernetes-preserve-unknown-fields: true preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, all of the conditions need to - pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -11920,13 +10840,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -11946,20 +10864,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, at least one of the conditions - need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -11973,13 +10889,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -11999,10 +10913,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -12024,31 +10937,25 @@ spec: items: properties: count: - description: Count specifies the required number - of entries that must match. If the count is - null, all entries must match (a logical AND). - If the count is 1, at least one entry must match - (a logical OR). If the count contains a value - N, then N must be less than or equal to the - size of entries, and at least N entries must - match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available attestors. - An attestor can be a static key, attributes - for keyless verification, or a nested attestor - declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for image - verification. Every specified key-value - pair must exist and match in the verified - payload. The payload may contain other - key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set of @@ -12069,19 +10976,14 @@ spec: to verify. type: string ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate Timestamps - (SCTs). If the value is unset, the - default behavior by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate - Timestamp (SCT) log to check for - a certificate timestamp. Default - is false. Set to true if this - was opted out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -12089,33 +10991,25 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the root - CA certificate. Optionally may - contain intermediate CA certificates, - and may contain the leaf TSA certificate - if not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use - for a custom Rekor. If set, this - will be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -12126,8 +11020,8 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: @@ -12138,19 +11032,14 @@ spec: signing. type: object ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate Timestamps - (SCTs). If the value is unset, the - default behavior by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate - Timestamp (SCT) log to check for - a certificate timestamp. Default - is false. Set to true if this - was opted out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -12158,14 +11047,10 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the root - CA certificate. Optionally may - contain intermediate CA certificates, - and may contain the leaf TSA certificate - if not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -12173,22 +11058,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use - for a custom Rekor. If set, this - will be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -12198,10 +11079,9 @@ spec: type: string type: object roots: - description: Roots is an optional set - of PEM encoded trusted root certificates. - If not provided, the system roots - are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -12214,19 +11094,14 @@ spec: public keys. properties: ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate Timestamps - (SCTs). If the value is unset, the - default behavior by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate - Timestamp (SCT) log to check for - a certificate timestamp. Default - is false. Set to true if this - was opted out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -12234,57 +11109,41 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the root - CA certificate. Optionally may - contain intermediate CA certificates, - and may contain the leaf TSA certificate - if not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI to - the public key stored in a Key Management - System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image signatures. - The keys can be directly specified - or can be a variable reference to - a key specified in a ConfigMap (see - https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster by - specifying it in the format "k8s:///". - The named Secret must specify a key - `cosign.pub` containing the public - key used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each - key is processed as a separate staticKey - entry (.attestors[*].entries.keys) - within the set of attestors and the - count is applied across the keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use - for a custom Rekor. If set, this - will be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -12318,12 +11177,9 @@ spec: type: string type: object repository: - description: Repository is an optional alternate - OCI repository to use for signatures and - attestations that match this rule. If - specified Repository will override other - OCI image repository locations for this - Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -12364,9 +11220,9 @@ spec: type: object type: array repository: - description: Repository is an optional alternate OCI - repository to use for resource bundle reference. The - repository can be overridden per Attestor or Attestation. + description: |- + Repository is an optional alternate OCI repository to use for resource bundle reference. + The repository can be overridden per Attestor or Attestation. type: string type: object message: @@ -12378,9 +11234,9 @@ spec: used to check resources. x-kubernetes-preserve-unknown-fields: true podSecurity: - description: PodSecurity applies exemptions for Kubernetes - Pod Security admission by specifying exclusions for Pod - Security Standards controls. + description: |- + PodSecurity applies exemptions for Kubernetes Pod Security admission + by specifying exclusions for Pod Security Standards controls. properties: exclude: description: Exclude specifies the Pod Security Standard @@ -12390,8 +11246,9 @@ spec: Security Standard controls to be excluded. properties: controlName: - description: 'ControlName specifies the name of - the Pod Security Standard control. See: https://kubernetes.io/docs/concepts/security/pod-security-standards/' + description: |- + ControlName specifies the name of the Pod Security Standard control. + See: https://kubernetes.io/docs/concepts/security/pod-security-standards/ enum: - HostProcess - Host Namespaces @@ -12410,13 +11267,11 @@ spec: - Running as Non-root user type: string images: - description: 'Images selects matching containers - and applies the container level PSS. Each image - is the image name consisting of the registry - address, repository, image, and tag. Empty list - matches no containers, PSS checks are applied - at the pod level only. Wildcards (''*'' and - ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' + description: |- + Images selects matching containers and applies the container level PSS. + Each image is the image name consisting of the registry address, repository, image, and tag. + Empty list matches no containers, PSS checks are applied at the pod level only. + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -12425,19 +11280,18 @@ spec: type: object type: array level: - description: Level defines the Pod Security Standard - level to be applied to workloads. Allowed values are - privileged, baseline, and restricted. + description: |- + Level defines the Pod Security Standard level to be applied to workloads. + Allowed values are privileged, baseline, and restricted. enum: - privileged - baseline - restricted type: string version: - description: Version defines the Pod Security Standard - versions that Kubernetes supports. Allowed values - are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, - v1.26, latest. Defaults to latest. + description: |- + Version defines the Pod Security Standard versions that Kubernetes supports. + Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, latest. Defaults to latest. enum: - v1.19 - v1.20 @@ -12455,22 +11309,21 @@ spec: description: VerifyImages is used to verify image signatures and mutate them to add a digest items: - description: ImageVerification validates that images that - match the specified pattern are signed with the supplied - public key. Once the image is verified it is mutated to - include the SHA digest retrieved during the registration. + description: |- + ImageVerification validates that images that match the specified pattern + are signed with the supplied public key. Once the image is verified it is + mutated to include the SHA digest retrieved during the registration. properties: attestations: - description: Attestations are optional checks for signed - in-toto Statements used to verify the image. See https://github.com/in-toto/attestation. - Kyverno fetches signed attestations from the OCI registry - and decodes them into a list of Statement declarations. + description: |- + Attestations are optional checks for signed in-toto Statements used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statement declarations. items: - description: Attestation are checks for signed in-toto - Statements that are used to verify the image. See - https://github.com/in-toto/attestation. Kyverno fetches - signed attestations from the OCI registry and decodes - them into a list of Statements. + description: |- + Attestation are checks for signed in-toto Statements that are used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statements. properties: attestors: description: Attestors specify the required attestors @@ -12478,31 +11331,25 @@ spec: items: properties: count: - description: Count specifies the required - number of entries that must match. If the - count is null, all entries must match (a - logical AND). If the count is 1, at least - one entry must match (a logical OR). If - the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or - a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set @@ -12523,21 +11370,14 @@ spec: used to verify. type: string ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -12545,36 +11385,25 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -12585,9 +11414,9 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless - attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: additionalProperties: @@ -12597,21 +11426,14 @@ spec: for keyless signing. type: object ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -12619,15 +11441,10 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -12635,24 +11452,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -12662,10 +11473,9 @@ spec: type: string type: object roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, - the system roots are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -12678,21 +11488,14 @@ spec: public keys. properties: ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -12700,63 +11503,41 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI - to the public key stored in a - Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable - reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -12792,37 +11573,30 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository - will override other OCI image repository - locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array type: object type: array conditions: - description: Conditions are used to verify attributes - within a Predicate. If no Conditions are specified - the attestation check is satisfied as long there - are predicates that match the predicate type. + description: |- + Conditions are used to verify attributes within a Predicate. If no Conditions are specified + the attestation check is satisfied as long there are predicates that match the predicate type. items: - description: AnyAllConditions consists of conditions - wrapped denoting a logical criteria to be fulfilled. - AnyConditions get fulfilled when at least one - of its sub-conditions passes. AllConditions - get fulfilled only when all of its sub-conditions - pass. + description: |- + AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled. + AnyConditions get fulfilled when at least one of its sub-conditions passes. + AllConditions get fulfilled only when all of its sub-conditions pass. properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -12837,14 +11611,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -12864,20 +11635,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -12892,14 +11661,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -12919,10 +11685,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -12944,29 +11709,25 @@ spec: items: properties: count: - description: Count specifies the required number - of entries that must match. If the count is null, - all entries must match (a logical AND). If the - count is 1, at least one entry must match (a logical - OR). If the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available attestors. - An attestor can be a static key, attributes for - keyless verification, or a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for image - verification. Every specified key-value - pair must exist and match in the verified - payload. The payload may contain other key-value - pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set of Attestor @@ -12987,19 +11748,14 @@ spec: to verify. type: string ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for validation - of Signed Certificate Timestamps (SCTs). - If the value is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate Timestamp - (SCT) log to check for a certificate - timestamp. Default is false. Set - to true if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is used @@ -13007,33 +11763,25 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate chain - file for the RFC3161 timestamp authority. - Must contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use for - a custom Rekor. If set, this will - be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address of @@ -13043,8 +11791,8 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: @@ -13055,19 +11803,14 @@ spec: signing. type: object ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for validation - of Signed Certificate Timestamps (SCTs). - If the value is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate Timestamp - (SCT) log to check for a certificate - timestamp. Default is false. Set - to true if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is used @@ -13075,14 +11818,10 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate chain - file for the RFC3161 timestamp authority. - Must contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -13090,22 +11829,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use for - a custom Rekor. If set, this will - be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address of @@ -13114,10 +11849,9 @@ spec: type: string type: object roots: - description: Roots is an optional set - of PEM encoded trusted root certificates. - If not provided, the system roots are - used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified identity @@ -13130,19 +11864,14 @@ spec: keys. properties: ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for validation - of Signed Certificate Timestamps (SCTs). - If the value is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate Timestamp - (SCT) log to check for a certificate - timestamp. Default is false. Set - to true if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is used @@ -13150,56 +11879,41 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate chain - file for the RFC3161 timestamp authority. - Must contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI to - the public key stored in a Key Management - System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 public - keys used to verify image signatures. - The keys can be directly specified or - can be a variable reference to a key - specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes Secret - elsewhere in the cluster by specifying - it in the format "k8s:///". - The named Secret must specify a key - `cosign.pub` containing the public key - used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each - key is processed as a separate staticKey - entry (.attestors[*].entries.keys) within - the set of attestors and the count is - applied across the keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use for - a custom Rekor. If set, this will - be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address of @@ -13232,24 +11946,20 @@ spec: type: string type: object repository: - description: Repository is an optional alternate - OCI repository to use for signatures and - attestations that match this rule. If specified - Repository will override other OCI image - repository locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array type: object type: array imageReferences: - description: 'ImageReferences is a list of matching image - reference patterns. At least one pattern in the list - must match the image for the rule to apply. Each image - reference consists of a registry address (defaults to - docker.io), repository, image, and tag (defaults to - latest). Wildcards (''*'' and ''?'') are allowed. See: - https://kubernetes.io/docs/concepts/containers/images.' + description: |- + ImageReferences is a list of matching image reference patterns. At least one pattern in the + list must match the image for the rule to apply. Each image reference consists of a registry + address (defaults to docker.io), repository, image, and tag (defaults to latest). + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -13262,9 +11972,9 @@ spec: access to a registry. type: boolean providers: - description: 'Providers specifies a list of OCI Registry - names, whose authentication providers are provided. - It can be of one of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers required. @@ -13277,25 +11987,24 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets that - are provided for credentials. Secrets must live - in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object mutateDigest: default: true - description: MutateDigest enables replacement of image - tags with digests. Defaults to true. + description: |- + MutateDigest enables replacement of image tags with digests. + Defaults to true. type: boolean repository: - description: Repository is an optional alternate OCI repository - to use for image signatures and attestations that match - this rule. If specified Repository will override the - default OCI image repository configured for the installation. - The repository can also be overridden per Attestor or - Attestation. + description: |- + Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule. + If specified Repository will override the default OCI image repository configured for the installation. + The repository can also be overridden per Attestor or Attestation. type: string required: default: true @@ -13304,9 +12013,9 @@ spec: check. type: boolean type: - description: Type specifies the method of signature validation. - The allowed options are Cosign and Notary. By default - Cosign is used if a type is not specified. + description: |- + Type specifies the method of signature validation. The allowed options + are Cosign and Notary. By default Cosign is used if a type is not specified. enum: - Cosign - Notary @@ -13328,23 +12037,23 @@ spec: type: object type: array schemaValidation: - description: SchemaValidation skips validation checks for policies - as well as patched resources. Optional. The default value is set - to "true", it must be set to "false" to disable the validation checks. + description: |- + SchemaValidation skips validation checks for policies as well as patched resources. + Optional. The default value is set to "true", it must be set to "false" to disable the validation checks. type: boolean useServerSideApply: - description: UseServerSideApply controls whether to use server-side - apply for generate rules If is set to "true" create & update for - generate rules will use apply instead of create/update. Defaults - to "false" if not specified. + description: |- + UseServerSideApply controls whether to use server-side apply for generate rules + If is set to "true" create & update for generate rules will use apply instead of create/update. + Defaults to "false" if not specified. type: boolean validationFailureAction: default: Audit - description: ValidationFailureAction defines if a validation policy - rule violation should block the admission review request (enforce), - or allow (audit) the admission review request and report an error - in a policy report. Optional. Allowed values are audit or enforce. - The default value is "Audit". + description: |- + ValidationFailureAction defines if a validation policy rule violation should block + the admission review request (enforce), or allow (audit) the admission review request + and report an error in a policy report. Optional. + Allowed values are audit or enforce. The default value is "Audit". enum: - audit - enforce @@ -13352,9 +12061,9 @@ spec: - Enforce type: string validationFailureActionOverrides: - description: ValidationFailureActionOverrides is a Cluster Policy - attribute that specifies ValidationFailureAction namespace-wise. - It overrides ValidationFailureAction for the specified namespaces. + description: |- + ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction + namespace-wise. It overrides ValidationFailureAction for the specified namespaces. items: properties: action: @@ -13367,34 +12076,34 @@ spec: - Enforce type: string namespaceSelector: - description: A label selector is a label query over a set of - resources. The result of matchLabels and matchExpressions - are ANDed. An empty label selector matches all objects. A - null label selector matches no objects. + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. - If the operator is In or NotIn, the values array - must be non-empty. If the operator is Exists or - DoesNotExist, the values array must be empty. This - array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -13406,11 +12115,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -13421,11 +12129,10 @@ spec: type: object type: array webhookTimeoutSeconds: - description: WebhookTimeoutSeconds specifies the maximum time in seconds - allowed to apply this policy. After the configured time expires, - the admission request may fail, or may simply ignore the policy - results, based on the failure policy. The default timeout is 10s, - the value must be between 1 and 30 seconds. + description: |- + WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. + After the configured time expires, the admission request may fail, or may simply ignore the policy results, + based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds. format: int32 type: integer type: object @@ -13439,51 +12146,49 @@ spec: description: Rules is a list of Rule instances. It contains auto generated rules added for pod controllers items: - description: Rule defines a validation, mutation, or generation - control for matching resources. Each rules contains a match - declaration to select resources, and an optional exclude declaration - to specify which resources to exclude. + description: |- + Rule defines a validation, mutation, or generation control for matching resources. + Each rules contains a match declaration to select resources, and an optional exclude + declaration to specify which resources to exclude. properties: celPreconditions: - description: CELPreconditions are used to determine if a - policy rule should be applied by evaluating a set of CEL - conditions. It can only be used with the validate.cel - subrule + description: |- + CELPreconditions are used to determine if a policy rule should be applied by evaluating a + set of CEL conditions. It can only be used with the validate.cel subrule items: description: MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook. properties: expression: - description: "Expression represents the expression - which will be evaluated by CEL. Must evaluate to - bool. CEL expressions have access to the contents - of the AdmissionRequest and Authorizer, organized - into CEL variables: \n 'object' - The object from - the incoming request. The value is null for DELETE - requests. 'oldObject' - The existing object. The - value is null for CREATE requests. 'request' - Attributes - of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). - 'authorizer' - A CEL Authorizer. May be used to - perform authorization checks for the principal (user - or service account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - 'authorizer.requestResource' - A CEL ResourceCheck - constructed from the 'authorizer' and configured - with the request resource. Documentation on CEL: - https://kubernetes.io/docs/reference/using-api/cel/ - \n Required." + description: |- + Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. + CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: + + + 'object' - The object from the incoming request. The value is null for DELETE requests. + 'oldObject' - The existing object. The value is null for CREATE requests. + 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. + See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the + request resource. + Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ + + + Required. type: string name: - description: "Name is an identifier for this match - condition, used for strategic merging of MatchConditions, - as well as providing an identifier for logging purposes. - A good name should be descriptive of the associated - expression. Name must be a qualified name consisting - of alphanumeric characters, '-', '_' or '.', and - must start and end with an alphanumeric character - (e.g. 'MyName', or 'my.name', or '123-abc', regex - used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') - with an optional DNS subdomain prefix and '/' (e.g. - 'example.com/MyName') \n Required." + description: |- + Name is an identifier for this match condition, used for strategic merging of MatchConditions, + as well as providing an identifier for logging purposes. A good name should be descriptive of + the associated expression. + Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and + must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or + '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an + optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') + + + Required. type: string required: - expression @@ -13494,15 +12199,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data sources - to a rule Context. Either a ConfigMap reference or a - APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the Kubernetes - API server, or other JSON web service. The data - returned is stored in the context with the name - for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data sent @@ -13524,13 +12228,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON Match - Expression that can be used to transform the - JSON response returned from the server. For - example a JMESPath of "items | length(@)" applied - to the API server response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across - all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -13545,23 +12248,24 @@ spec: web service properties: caBundle: - description: CABundle is a PEM encoded CA - bundle which will be used to validate the - server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web service URL. - A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to be used - in the HTTP GET or POST request to the Kubernetes - API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used - by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -13578,8 +12282,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests to an - OCI/Docker V2 registry to fetch image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials provides @@ -13591,10 +12296,9 @@ spec: insecure access to a registry. type: boolean providers: - description: 'Providers specifies a list of - OCI Registry names, whose authentication - providers are provided. It can be of one - of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers @@ -13608,23 +12312,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets - that are provided for credentials. Secrets - must live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON Match - Expression that can be used to transform the - ImageData struct returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference to - a container image in the registry. Example: - ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -13637,14 +12341,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take if the - JMESPath expression evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform the - variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON object @@ -13654,11 +12358,10 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when this policy rule - should not be applied. The exclude criteria can include - resource information (e.g. kind, name, namespace, labels) - and admission review request information like the name - or role. + description: |- + ExcludeResources defines when this policy rule should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. properties: all: description: All allows specifying resources which will @@ -13680,10 +12383,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -13692,60 +12394,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -13758,20 +12449,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -13792,44 +12480,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -13842,12 +12521,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -13862,36 +12539,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -13921,10 +12590,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -13933,60 +12601,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -13999,20 +12656,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -14033,44 +12687,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -14083,12 +12728,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -14103,36 +12746,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -14149,21 +12784,19 @@ spec: type: string type: array resources: - description: ResourceDescription contains information - about the resource being created or modified. Requires - at least one tag to be specified when under MatchResources. - Specifying ResourceDescription directly under match - is being deprecated. Please specify under "any" or - "all" instead. + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" - (matches zero or many characters) and "?" (matches - at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -14171,57 +12804,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated in - favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key and - value but does not match an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -14234,20 +12859,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -14267,42 +12889,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) - and `?` (matches one character). Wildcards allows - writing label selectors like ["storage.k8s.io/*": - "*"]. Note that using ["*" : "*"] matches any - key and value but does not match an empty label - set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -14315,12 +12930,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -14335,32 +12948,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or - a value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the - referenced subject. Defaults to "" for ServiceAccount - subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the - Authorizer should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -14376,11 +12985,10 @@ spec: description: APIVersion specifies resource apiVersion. type: string clone: - description: Clone specifies the source resource used - to populate each generated resource. At most one of - Data or Clone can be specified. If neither are provided, - the generated resource will be created with default - data only. + description: |- + Clone specifies the source resource used to populate each generated resource. + At most one of Data or Clone can be specified. If neither are provided, the generated + resource will be created with default data only. properties: name: description: Name specifies name of the resource. @@ -14404,37 +13012,33 @@ spec: namespace. type: string selector: - description: Selector is a label selector. Label - keys and values in `matchLabels`. wildcard characters - are not supported. + description: |- + Selector is a label selector. Label keys and values in `matchLabels`. + wildcard characters are not supported. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -14447,22 +13051,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object data: - description: Data provides the resource declaration - used to populate each generated resource. At most - one of Data or Clone must be specified. If neither - are provided, the generated resource will be created - with default data only. + description: |- + Data provides the resource declaration used to populate each generated resource. + At most one of Data or Clone must be specified. If neither are provided, the generated + resource will be created with default data only. x-kubernetes-preserve-unknown-fields: true kind: description: Kind specifies resource kind. @@ -14474,11 +13075,10 @@ spec: description: Namespace specifies resource namespace. type: string synchronize: - description: Synchronize controls if generated resources - should be kept in-sync with their source resource. - If Synchronize is set to "true" changes to generated - resources will be overwritten with resource data from - Data or the resource specified in the Clone declaration. + description: |- + Synchronize controls if generated resources should be kept in-sync with their source resource. + If Synchronize is set to "true" changes to generated resources will be overwritten with resource + data from Data or the resource specified in the Clone declaration. Optional. Defaults to "false" if not specified. type: boolean uid: @@ -14490,50 +13090,46 @@ spec: items: properties: jmesPath: - description: 'JMESPath is an optional JMESPath expression - to apply to the image value. This is useful when - the extracted image begins with a prefix like - ''docker://''. The ''trim_prefix'' function may - be used to trim the prefix: trim_prefix(@, ''docker://''). - Note - Image digest mutation may not be used when - applying a JMESPAth to an image.' + description: |- + JMESPath is an optional JMESPath expression to apply to the image value. + This is useful when the extracted image begins with a prefix like 'docker://'. + The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://'). + Note - Image digest mutation may not be used when applying a JMESPAth to an image. type: string key: - description: Key is an optional name of the field - within 'path' that will be used to uniquely identify - an image. Note - this field MUST be unique. + description: |- + Key is an optional name of the field within 'path' that will be used to uniquely identify an image. + Note - this field MUST be unique. type: string name: - description: Name is the entry the image will be - available under 'images.' in the context. - If this field is not defined, image entries will - appear under 'images.custom'. + description: |- + Name is the entry the image will be available under 'images.' in the context. + If this field is not defined, image entries will appear under 'images.custom'. type: string path: - description: Path is the path to the object containing - the image field in a custom resource. It should - be slash-separated. Each slash-separated key must - be a valid YAML key or a wildcard '*'. Wildcard - keys are expanded in case of arrays or objects. + description: |- + Path is the path to the object containing the image field in a custom resource. + It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'. + Wildcard keys are expanded in case of arrays or objects. type: string value: - description: Value is an optional name of the field - within 'path' that points to the image URI. This - is useful when a custom 'key' is also defined. + description: |- + Value is an optional name of the field within 'path' that points to the image URI. + This is useful when a custom 'key' is also defined. type: string required: - path type: object type: array - description: ImageExtractors defines a mapping from kinds - to ImageExtractorConfigs. This config is only valid for - verifyImages rules. + description: |- + ImageExtractors defines a mapping from kinds to ImageExtractorConfigs. + This config is only valid for verifyImages rules. type: object match: - description: MatchResources defines when this policy rule - should be applied. The match criteria can include resource - information (e.g. kind, name, namespace, labels) and admission - review request information like the user name or role. + description: |- + MatchResources defines when this policy rule should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. At least one kind is required. properties: all: @@ -14556,10 +13152,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -14568,60 +13163,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -14634,20 +13218,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -14668,44 +13249,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -14718,12 +13290,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -14738,36 +13308,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -14797,10 +13359,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -14809,60 +13370,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -14875,20 +13425,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -14909,44 +13456,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -14959,12 +13497,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -14979,36 +13515,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -15025,21 +13553,19 @@ spec: type: string type: array resources: - description: ResourceDescription contains information - about the resource being created or modified. Requires - at least one tag to be specified when under MatchResources. - Specifying ResourceDescription directly under match - is being deprecated. Please specify under "any" or - "all" instead. + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" - (matches zero or many characters) and "?" (matches - at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -15047,57 +13573,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated in - favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key and - value but does not match an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -15110,20 +13628,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -15143,42 +13658,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) - and `?` (matches one character). Wildcards allows - writing label selectors like ["storage.k8s.io/*": - "*"]. Note that using ["*" : "*"] matches any - key and value but does not match an empty label - set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -15191,12 +13699,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -15211,32 +13717,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or - a value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the - referenced subject. Defaults to "" for ServiceAccount - subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the - Authorizer should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -15263,16 +13765,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST @@ -15295,15 +13795,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -15318,25 +13815,23 @@ spec: to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web - service URL. A typical form is + description: |- + URL is the JSON web service URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string @@ -15356,9 +13851,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials @@ -15370,11 +13865,9 @@ spec: allows insecure access to a registry. type: boolean providers: - description: 'Providers specifies - a list of OCI Registry names, - whose authentication providers - are provided. It can be of one - of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -15388,25 +13881,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a - list of secrets that are provided - for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -15420,15 +13911,14 @@ spec: defined inline. properties: default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary @@ -15443,43 +13933,41 @@ spec: iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which - the validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string order: - description: Order defines the iteration order - on the list. Can be Ascending to iterate from - first to last element or Descending to iterate - in from last to first element. + description: |- + Order defines the iteration order on the list. + Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element. enum: - Ascending - Descending type: string patchStrategicMerge: - description: PatchStrategicMerge is a strategic - merge patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC - 6902 JSON Patch declarations used to modify - resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -15494,14 +13982,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -15521,20 +14006,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -15549,14 +14032,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -15576,10 +14056,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -15588,14 +14067,15 @@ spec: type: object type: array patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge - patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON - Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string targets: description: Targets defines the target resources to @@ -15611,16 +14091,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST @@ -15643,15 +14121,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -15666,25 +14141,23 @@ spec: to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web - service URL. A typical form is + description: |- + URL is the JSON web service URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string @@ -15704,9 +14177,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials @@ -15718,11 +14191,9 @@ spec: allows insecure access to a registry. type: boolean providers: - description: 'Providers specifies - a list of OCI Registry names, - whose authentication providers - are provided. It can be of one - of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -15736,25 +14207,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a - list of secrets that are provided - for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -15768,15 +14237,14 @@ spec: defined inline. properties: default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary @@ -15796,14 +14264,12 @@ spec: description: Namespace specifies resource namespace. type: string preconditions: - description: 'Preconditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. A direct list - of conditions (without `any` or `all` statements - is supported for backwards compatibility but + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/preconditions/' + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true uid: description: UID specifies the resource uid. @@ -15817,27 +14283,32 @@ spec: maxLength: 63 type: string preconditions: - description: 'Preconditions are used to determine if a policy - rule should be applied by evaluating a set of conditions. - The declaration can contain nested `any` or `all` statements. - A direct list of conditions (without `any` or `all` statements - is supported for backwards compatibility but will be deprecated - in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true skipBackgroundRequests: default: true - description: SkipBackgroundRequests bypasses admission requests - that are sent by the background controller. The default - value is set to "true", it must be set to "false" to apply + description: |- + SkipBackgroundRequests bypasses admission requests that are sent by the background controller. + The default value is set to "true", it must be set to "false" to apply generate and mutateExisting rules to those requests. type: boolean validate: description: Validation is used to validate matching resources. properties: + allowExistingViolations: + default: true + description: AllowExistingViolations allows prexisting + violating resources to continue violating a policy. + type: boolean anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must be satisfied - for the validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true cel: description: CEL allows validation checks using the @@ -15852,41 +14323,45 @@ spec: produce an audit annotation for an API request. properties: key: - description: "key specifies the audit annotation - key. The audit annotation keys of a ValidatingAdmissionPolicy - must be unique. The key must be a qualified - name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more - than 63 bytes in length. \n The key is combined - with the resource name of the ValidatingAdmissionPolicy - to construct an audit annotation key: \"{ValidatingAdmissionPolicy - name}/{key}\". \n If an admission webhook - uses the same resource name as this ValidatingAdmissionPolicy - and the same audit annotation key, the annotation - key will be identical. In this case, the - first annotation written with the key will - be included in the audit event and all subsequent - annotations with the same key will be discarded. - \n Required." + description: |- + key specifies the audit annotation key. The audit annotation keys of + a ValidatingAdmissionPolicy must be unique. The key must be a qualified + name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length. + + + The key is combined with the resource name of the + ValidatingAdmissionPolicy to construct an audit annotation key: + "{ValidatingAdmissionPolicy name}/{key}". + + + If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy + and the same audit annotation key, the annotation key will be identical. + In this case, the first annotation written with the key will be included + in the audit event and all subsequent annotations with the same key + will be discarded. + + + Required. type: string valueExpression: - description: "valueExpression represents the - expression which is evaluated by CEL to - produce an audit annotation value. The expression - must evaluate to either a string or null - value. If the expression evaluates to a - string, the audit annotation is included - with the string value. If the expression - evaluates to null or empty string the audit - annotation will be omitted. The valueExpression - may be no longer than 5kb in length. If - the result of the valueExpression is more - than 10kb in length, it will be truncated - to 10kb. \n If multiple ValidatingAdmissionPolicyBinding - resources match an API request, then the - valueExpression will be evaluated for each - binding. All unique values produced by the - valueExpressions will be joined together - in a comma-separated list. \n Required." + description: |- + valueExpression represents the expression which is evaluated by CEL to + produce an audit annotation value. The expression must evaluate to either + a string or null value. If the expression evaluates to a string, the + audit annotation is included with the string value. If the expression + evaluates to null or empty string the audit annotation will be omitted. + The valueExpression may be no longer than 5kb in length. + If the result of the valueExpression is more than 10kb in length, it + will be truncated to 10kb. + + + If multiple ValidatingAdmissionPolicyBinding resources match an + API request, then the valueExpression will be evaluated for + each binding. All unique values produced by the valueExpressions + will be joined together in a comma-separated list. + + + Required. type: string required: - key @@ -15902,124 +14377,104 @@ spec: properties: expression: description: "Expression represents the expression - which will be evaluated by CEL. ref: https://github.com/google/cel-spec - CEL expressions have access to the contents + which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL + expressions have access to the contents of the API request/response, organized into CEL variables as well as some other useful - variables: \n - 'object' - The object from - the incoming request. The value is null - for DELETE requests. - 'oldObject' - The - existing object. The value is null for CREATE - requests. - 'request' - Attributes of the - API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - - 'params' - Parameter resource referred - to by the policy binding being evaluated. - Only populated if the policy has a ParamKind. - - 'namespaceObject' - The namespace object + variables:\n\n\n- 'object' - The object + from the incoming request. The value is + null for DELETE requests.\n- 'oldObject' + - The existing object. The value is null + for CREATE requests.\n- 'request' - Attributes + of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- + 'params' - Parameter resource referred to + by the policy binding being evaluated. Only + populated if the policy has a ParamKind.\n- + 'namespaceObject' - The namespace object that the incoming object belongs to. The - value is null for cluster-scoped resources. - - 'variables' - Map of composited variables, - from its name to its lazily evaluated value. - For example, a variable named 'foo' can - be accessed as 'variables.foo'. - 'authorizer' + value is null for cluster-scoped resources.\n- + 'variables' - Map of composited variables, + from its name to its lazily evaluated value.\n + \ For example, a variable named 'foo' can + be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user - or service account) of the request. See - https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - - 'authorizer.requestResource' - A CEL ResourceCheck + or service account) of the request.\n See + https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured - with the request resource. \n The `apiVersion`, + with the\n request resource.\n\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` - are always accessible from the root of the - object. No other metadata properties are - accessible. \n Only property names of the - form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are - accessible. Accessible property names are - escaped according to the following rules - when accessed in the expression: - '__' - escapes to '__underscores__' - '.' escapes - to '__dot__' - '-' escapes to '__dash__' - - '/' escapes to '__slash__' - Property - names that exactly match a CEL RESERVED - keyword escape to '__{keyword}__'. The keywords - are: \"true\", \"false\", \"null\", \"in\", - \"as\", \"break\", \"const\", \"continue\", - \"else\", \"for\", \"function\", \"if\", - \"import\", \"let\", \"loop\", \"package\", - \"namespace\", \"return\". Examples: - Expression - accessing a property named \"namespace\": - {\"Expression\": \"object.__namespace__ - > 0\"} - Expression accessing a property + are always accessible from the root of the\nobject. + No other metadata properties are accessible.\n\n\nOnly + property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` + are accessible.\nAccessible property names + are escaped according to the following rules + when accessed in the expression:\n- '__' + escapes to '__underscores__'\n- '.' escapes + to '__dot__'\n- '-' escapes to '__dash__'\n- + '/' escapes to '__slash__'\n- Property names + that exactly match a CEL RESERVED keyword + escape to '__{keyword}__'. The keywords + are:\n\t \"true\", \"false\", \"null\", + \"in\", \"as\", \"break\", \"const\", \"continue\", + \"else\", \"for\", \"function\", \"if\",\n\t + \ \"import\", \"let\", \"loop\", \"package\", + \"namespace\", \"return\".\nExamples:\n + \ - Expression accessing a property named + \"namespace\": {\"Expression\": \"object.__namespace__ + > 0\"}\n - Expression accessing a property named \"x-prop\": {\"Expression\": \"object.x__dash__prop - > 0\"} - Expression accessing a property + > 0\"}\n - Expression accessing a property named \"redact__d\": {\"Expression\": \"object.redact__underscores__d - > 0\"} \n Equality on arrays with list type - of 'set' or 'map' ignores element order, - i.e. [1, 2] == [2, 1]. Concatenation on + > 0\"}\n\n\nEquality on arrays with list + type of 'set' or 'map' ignores element order, + i.e. [1, 2] == [2, 1].\nConcatenation on arrays with x-kubernetes-list-type use the - semantics of the list type: - 'set': `X - + Y` performs a union where the array positions - of all elements in `X` are preserved and - non-intersecting elements in `Y` are appended, - retaining their partial order. - 'map': - `X + Y` performs a merge where the array - positions of all keys in `X` are preserved - but the values are overwritten by values - in `Y` when the key sets of `X` and `Y` - intersect. Elements in `Y` with non-intersecting - keys are appended, retaining their partial - order. Required." + semantics of the list type:\n - 'set': + `X + Y` performs a union where the array + positions of all elements in `X` are preserved + and\n non-intersecting elements in `Y` + are appended, retaining their partial order.\n + \ - 'map': `X + Y` performs a merge where + the array positions of all keys in `X` are + preserved but the values\n are overwritten + by values in `Y` when the key sets of `X` + and `Y` intersect. Elements in `Y` with\n + \ non-intersecting keys are appended, + retaining their partial order.\nRequired." type: string message: - description: 'Message represents the message - displayed when validation fails. The message - is required if the Expression contains line - breaks. The message must not contain line - breaks. If unset, the message is "failed - rule: {Rule}". e.g. "must be a URL with - the host matching spec.host" If the Expression - contains line breaks. Message is required. + description: |- + Message represents the message displayed when validation fails. The message is required if the Expression contains + line breaks. The message must not contain line breaks. + If unset, the message is "failed rule: {Rule}". + e.g. "must be a URL with the host matching spec.host" + If the Expression contains line breaks. Message is required. The message must not contain line breaks. - If unset, the message is "failed Expression: - {Expression}".' + If unset, the message is "failed Expression: {Expression}". type: string messageExpression: - description: 'messageExpression declares a - CEL expression that evaluates to the validation - failure message that is returned when this - rule fails. Since messageExpression is used - as a failure message, it must evaluate to - a string. If both message and messageExpression - are present on a validation, then messageExpression - will be used if validation fails. If messageExpression - results in a runtime error, the runtime - error is logged, and the validation failure - message is produced as if the messageExpression - field were unset. If messageExpression evaluates - to an empty string, a string with only spaces, - or a string that contains line breaks, then - the validation failure message will also - be produced as if the messageExpression - field were unset, and the fact that messageExpression - produced an empty string/string with only - spaces/string with line breaks will be logged. - messageExpression has access to all the - same variables as the `expression` except - for ''authorizer'' and ''authorizer.requestResource''. - Example: "object.x must be less than max - ("+string(params.max)+")"' + description: |- + messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. + Since messageExpression is used as a failure message, it must evaluate to a string. + If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. + If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced + as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string + that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and + the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. + messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'. + Example: + "object.x must be less than max ("+string(params.max)+")" type: string reason: - description: 'Reason represents a machine-readable - description of why this validation failed. - If this is the first validation in the list - to fail, this reason, as well as the corresponding - HTTP response code, are used in the HTTP - response to the client. The currently supported - reasons are: "Unauthorized", "Forbidden", - "Invalid", "RequestEntityTooLarge". If not - set, StatusReasonInvalid is used in the - response to the client.' + description: |- + Reason represents a machine-readable description of why this validation failed. + If this is the first validation in the list to fail, this reason, as well as the + corresponding HTTP response code, are used in the + HTTP response to the client. + The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge". + If not set, StatusReasonInvalid is used in the response to the client. type: string required: - expression @@ -16030,13 +14485,15 @@ spec: and Version. properties: apiVersion: - description: APIVersion is the API group version - the resources belong to. In format of "group/version". + description: |- + APIVersion is the API group version the resources belong to. + In format of "group/version". Required. type: string kind: - description: Kind is the API kind the resources - belong to. Required. + description: |- + Kind is the API kind the resources belong to. + Required. type: string type: object x-kubernetes-map-type: atomic @@ -16044,82 +14501,83 @@ spec: description: ParamRef references a parameter resource. properties: name: - description: "`name` is the name of the resource - being referenced. \n `name` and `selector` - are mutually exclusive properties. If one - is set, the other must be unset." + description: |- + `name` is the name of the resource being referenced. + + + `name` and `selector` are mutually exclusive properties. If one is set, + the other must be unset. type: string namespace: - description: "namespace is the namespace of - the referenced resource. Allows limiting the - search for params to a specific namespace. - Applies to both `name` and `selector` fields. - \n A per-namespace parameter may be used by - specifying a namespace-scoped `paramKind` - in the policy and leaving this field empty. - \n - If `paramKind` is cluster-scoped, this - field MUST be unset. Setting this field results - in a configuration error. \n - If `paramKind` - is namespace-scoped, the namespace of the - object being evaluated for admission will - be used when this field is left unset. Take - care that if this is left empty the binding - must not match any cluster-scoped resources, - which will result in an error." + description: |- + namespace is the namespace of the referenced resource. Allows limiting + the search for params to a specific namespace. Applies to both `name` and + `selector` fields. + + + A per-namespace parameter may be used by specifying a namespace-scoped + `paramKind` in the policy and leaving this field empty. + + + - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this + field results in a configuration error. + + + - If `paramKind` is namespace-scoped, the namespace of the object being + evaluated for admission will be used when this field is left unset. Take + care that if this is left empty the binding must not match any cluster-scoped + resources, which will result in an error. type: string parameterNotFoundAction: - description: "`parameterNotFoundAction` controls - the behavior of the binding when the resource - exists, and name or selector is valid, but - there are no parameters matched by the binding. - If the value is set to `Allow`, then no matched - parameters will be treated as successful validation - by the binding. If set to `Deny`, then no - matched parameters will be subject to the - `failurePolicy` of the policy. \n Allowed - values are `Allow` or `Deny` Default to `Deny`" + description: |- + `parameterNotFoundAction` controls the behavior of the binding when the resource + exists, and name or selector is valid, but there are no parameters + matched by the binding. If the value is set to `Allow`, then no + matched parameters will be treated as successful validation by the binding. + If set to `Deny`, then no matched parameters will be subject to the + `failurePolicy` of the policy. + + + Allowed values are `Allow` or `Deny` + Default to `Deny` type: string selector: - description: "selector can be used to match - multiple param objects based on their labels. - Supply selector: {} to match all resources - of the ParamKind. \n If multiple params are - found, they are all evaluated with the policy - expressions and the results are ANDed together. - \n One of `name` or `selector` must be set, - but `name` and `selector` are mutually exclusive - properties. If one is set, the other must - be unset." + description: |- + selector can be used to match multiple param objects based on their labels. + Supply selector: {} to match all resources of the ParamKind. + + + If multiple params are found, they are all evaluated with the policy expressions + and the results are ANDed together. + + + One of `name` or `selector` must be set, but `name` and `selector` are + mutually exclusive properties. If one is set, the other must be unset. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -16131,41 +14589,34 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object x-kubernetes-map-type: atomic variables: - description: Variables contain definitions of variables - that can be used in composition of other expressions. + description: |- + Variables contain definitions of variables that can be used in composition of other expressions. Each variable is defined as a named CEL expression. - The variables defined here will be available under - `variables` in other expressions of the policy. + The variables defined here will be available under `variables` in other expressions of the policy. items: description: Variable is the definition of a variable that is used for composition. properties: expression: - description: Expression is the expression - that will be evaluated as the value of the - variable. The CEL expression has access - to the same identifiers as the CEL expressions - in Validation. + description: |- + Expression is the expression that will be evaluated as the value of the variable. + The CEL expression has access to the same identifiers as the CEL expressions in Validation. type: string name: - description: Name is the name of the variable. - The name must be a valid CEL identifier - and unique among all variables. The variable - can be accessed in other expressions through - `variables` For example, if name is "foo", - the variable will be available as `variables.foo` + description: |- + Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables. + The variable can be accessed in other expressions through `variables` + For example, if name is "foo", the variable will be available as `variables.foo` type: string required: - expression @@ -16178,12 +14629,11 @@ spec: fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct list - of conditions (without `any` or `all` statements) - is also supported for backwards compatibility + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object foreach: @@ -16198,24 +14648,22 @@ spec: apply the specified logic. properties: anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must - be satisfied for the validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true context: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST @@ -16238,15 +14686,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -16261,25 +14706,23 @@ spec: to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web - service URL. A typical form is + description: |- + URL is the JSON web service URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string @@ -16299,9 +14742,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials @@ -16313,11 +14756,9 @@ spec: allows insecure access to a registry. type: boolean providers: - description: 'Providers specifies - a list of OCI Registry names, - whose authentication providers - are provided. It can be of one - of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -16331,25 +14772,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a - list of secrets that are provided - for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -16363,15 +14802,14 @@ spec: defined inline. properties: default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary @@ -16386,48 +14824,44 @@ spec: or fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct - list of conditions (without `any` or `all` - statements) is also supported for backwards - compatibility but will be deprecated in - the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object elementScope: - description: ElementScope specifies whether to - use the current list element as the scope for - validation. Defaults to "true" if not specified. - When set to "false", "request.object" is used - as the validation scope within the foreach block - to allow referencing other elements in the subtree. + description: |- + ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified. + When set to "false", "request.object" is used as the validation scope within the foreach + block to allow referencing other elements in the subtree. type: boolean foreach: description: Foreach declares a nested foreach iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which - the validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string pattern: description: Pattern specifies an overlay-style pattern used to check resources. x-kubernetes-preserve-unknown-fields: true preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -16442,14 +14876,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -16469,20 +14900,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -16497,14 +14926,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -16524,10 +14950,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -16550,31 +14975,25 @@ spec: items: properties: count: - description: Count specifies the required - number of entries that must match. If the - count is null, all entries must match (a - logical AND). If the count is 1, at least - one entry must match (a logical OR). If - the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or - a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set @@ -16595,21 +15014,14 @@ spec: used to verify. type: string ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -16617,36 +15029,25 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -16657,9 +15058,9 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless - attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: additionalProperties: @@ -16669,21 +15070,14 @@ spec: for keyless signing. type: object ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -16691,15 +15085,10 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -16707,24 +15096,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -16734,10 +15117,9 @@ spec: type: string type: object roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, - the system roots are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -16750,21 +15132,14 @@ spec: public keys. properties: ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -16772,63 +15147,41 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI - to the public key stored in a - Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable - reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -16864,12 +15217,9 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository - will override other OCI image repository - locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -16910,10 +15260,9 @@ spec: type: object type: array repository: - description: Repository is an optional alternate - OCI repository to use for resource bundle reference. - The repository can be overridden per Attestor - or Attestation. + description: |- + Repository is an optional alternate OCI repository to use for resource bundle reference. + The repository can be overridden per Attestor or Attestation. type: string type: object message: @@ -16925,9 +15274,9 @@ spec: used to check resources. x-kubernetes-preserve-unknown-fields: true podSecurity: - description: PodSecurity applies exemptions for Kubernetes - Pod Security admission by specifying exclusions for - Pod Security Standards controls. + description: |- + PodSecurity applies exemptions for Kubernetes Pod Security admission + by specifying exclusions for Pod Security Standards controls. properties: exclude: description: Exclude specifies the Pod Security @@ -16937,9 +15286,9 @@ spec: Pod Security Standard controls to be excluded. properties: controlName: - description: 'ControlName specifies the name - of the Pod Security Standard control. See: - https://kubernetes.io/docs/concepts/security/pod-security-standards/' + description: |- + ControlName specifies the name of the Pod Security Standard control. + See: https://kubernetes.io/docs/concepts/security/pod-security-standards/ enum: - HostProcess - Host Namespaces @@ -16958,14 +15307,11 @@ spec: - Running as Non-root user type: string images: - description: 'Images selects matching containers - and applies the container level PSS. Each - image is the image name consisting of the - registry address, repository, image, and - tag. Empty list matches no containers, PSS - checks are applied at the pod level only. - Wildcards (''*'' and ''?'') are allowed. - See: https://kubernetes.io/docs/concepts/containers/images.' + description: |- + Images selects matching containers and applies the container level PSS. + Each image is the image name consisting of the registry address, repository, image, and tag. + Empty list matches no containers, PSS checks are applied at the pod level only. + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -16974,19 +15320,18 @@ spec: type: object type: array level: - description: Level defines the Pod Security Standard - level to be applied to workloads. Allowed values - are privileged, baseline, and restricted. + description: |- + Level defines the Pod Security Standard level to be applied to workloads. + Allowed values are privileged, baseline, and restricted. enum: - privileged - baseline - restricted type: string version: - description: Version defines the Pod Security Standard - versions that Kubernetes supports. Allowed values - are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, - v1.25, v1.26, latest. Defaults to latest. + description: |- + Version defines the Pod Security Standard versions that Kubernetes supports. + Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, latest. Defaults to latest. enum: - v1.19 - v1.20 @@ -17004,10 +15349,10 @@ spec: description: VerifyImages is used to verify image signatures and mutate them to add a digest items: - description: ImageVerification validates that images that - match the specified pattern are signed with the supplied - public key. Once the image is verified it is mutated - to include the SHA digest retrieved during the registration. + description: |- + ImageVerification validates that images that match the specified pattern + are signed with the supplied public key. Once the image is verified it is + mutated to include the SHA digest retrieved during the registration. properties: additionalExtensions: additionalProperties: @@ -17021,17 +15366,15 @@ spec: instead. type: object attestations: - description: Attestations are optional checks for - signed in-toto Statements used to verify the image. - See https://github.com/in-toto/attestation. Kyverno - fetches signed attestations from the OCI registry - and decodes them into a list of Statement declarations. + description: |- + Attestations are optional checks for signed in-toto Statements used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statement declarations. items: - description: Attestation are checks for signed in-toto - Statements that are used to verify the image. - See https://github.com/in-toto/attestation. Kyverno - fetches signed attestations from the OCI registry - and decodes them into a list of Statements. + description: |- + Attestation are checks for signed in-toto Statements that are used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statements. properties: attestors: description: Attestors specify the required @@ -17039,33 +15382,25 @@ spec: items: properties: count: - description: Count specifies the required - number of entries that must match. If - the count is null, all entries must - match (a logical AND). If the count - is 1, at least one entry must match - (a logical OR). If the count contains - a value N, then N must be less than - or equal to the size of entries, and - at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static - key, attributes for keyless verification, - or a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used - for image verification. Every - specified key-value pair must - exist and match in the verified - payload. The payload may contain - other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested @@ -17086,23 +15421,14 @@ spec: certificates used to verify. type: string ctlog: - description: CTLog (certificate - timestamp log) provides a - configuration for validation - of Signed Certificate Timestamps - (SCTs). If the value is unset, - the default behavior by Cosign - is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp - (SCT) log to check for - a certificate timestamp. - Default is false. Set - to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if @@ -17111,27 +15437,16 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, - if set, is the PEM-encoded - certificate chain file - for the RFC3161 timestamp - authority. Must contain - the root CA certificate. - Optionally may contain - intermediate CA certificates, - and may contain the leaf - TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If an empty object is provided - the public instance of Rekor - (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog @@ -17139,13 +15454,9 @@ spec: verification. type: boolean pubkey: - description: RekorPubKey - is an optional PEM-encoded - public key to use for - a custom Rekor. If set, - this will be used to validate - transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the @@ -17156,9 +15467,9 @@ spec: type: object type: object keyless: - description: Keyless is a set of - attribute used to verify a Sigstore - keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: additionalProperties: @@ -17168,23 +15479,14 @@ spec: used for keyless signing. type: object ctlog: - description: CTLog (certificate - timestamp log) provides a - configuration for validation - of Signed Certificate Timestamps - (SCTs). If the value is unset, - the default behavior by Cosign - is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp - (SCT) log to check for - a certificate timestamp. - Default is false. Set - to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if @@ -17193,17 +15495,10 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, - if set, is the PEM-encoded - certificate chain file - for the RFC3161 timestamp - authority. Must contain - the root CA certificate. - Optionally may contain - intermediate CA certificates, - and may contain the leaf - TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -17211,13 +15506,9 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If an empty object is provided - the public instance of Rekor - (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog @@ -17225,13 +15516,9 @@ spec: verification. type: boolean pubkey: - description: RekorPubKey - is an optional PEM-encoded - public key to use for - a custom Rekor. If set, - this will be used to validate - transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the @@ -17241,11 +15528,9 @@ spec: type: string type: object roots: - description: Roots is an optional - set of PEM encoded trusted - root certificates. If not - provided, the system roots - are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the @@ -17259,23 +15544,14 @@ spec: or more public keys. properties: ctlog: - description: CTLog (certificate - timestamp log) provides a - configuration for validation - of Signed Certificate Timestamps - (SCTs). If the value is unset, - the default behavior by Cosign - is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp - (SCT) log to check for - a certificate timestamp. - Default is false. Set - to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if @@ -17284,56 +15560,32 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, - if set, is the PEM-encoded - certificate chain file - for the RFC3161 timestamp - authority. Must contain - the root CA certificate. - Optionally may contain - intermediate CA certificates, - and may contain the leaf - TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the - URI to the public key stored - in a Key Management System. - See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of - X.509 public keys used to - verify image signatures. The - keys can be directly specified - or can be a variable reference - to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a - separate staticKey entry (.attestors[*].entries.keys) - within the set of attestors - and the count is applied across - the keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If an empty object is provided - the public instance of Rekor - (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog @@ -17341,13 +15593,9 @@ spec: verification. type: boolean pubkey: - description: RekorPubKey - is an optional PEM-encoded - public key to use for - a custom Rekor. If set, - this will be used to validate - transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the @@ -17384,40 +15632,30 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use - for signatures and attestations - that match this rule. If specified - Repository will override other - OCI image repository locations - for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array type: object type: array conditions: - description: Conditions are used to verify attributes - within a Predicate. If no Conditions are specified - the attestation check is satisfied as long - there are predicates that match the predicate - type. + description: |- + Conditions are used to verify attributes within a Predicate. If no Conditions are specified + the attestation check is satisfied as long there are predicates that match the predicate type. items: - description: AnyAllConditions consists of - conditions wrapped denoting a logical criteria - to be fulfilled. AnyConditions get fulfilled - when at least one of its sub-conditions - passes. AllConditions get fulfilled only - when all of its sub-conditions pass. + description: |- + AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled. + AnyConditions get fulfilled when at least one of its sub-conditions passes. + AllConditions get fulfilled only when all of its sub-conditions pass. properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is - useful for finer control of when an - rule is applied. A condition can reference - object data using JMESPath notation. - Here, all of the conditions need to - pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -17432,14 +15670,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -17459,21 +15694,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is - useful for finer control of when an - rule is applied. A condition can reference - object data using JMESPath notation. - Here, at least one of the conditions - need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -17488,14 +15720,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -17515,10 +15744,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -17540,31 +15768,25 @@ spec: items: properties: count: - description: Count specifies the required number - of entries that must match. If the count is - null, all entries must match (a logical AND). - If the count is 1, at least one entry must - match (a logical OR). If the count contains - a value N, then N must be less than or equal - to the size of entries, and at least N entries - must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or a - nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set @@ -17585,21 +15807,14 @@ spec: used to verify. type: string ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior by - Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed Certificate - Timestamp (SCT) log to check - for a certificate timestamp. - Default is false. Set to true - if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -17607,35 +15822,25 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the - root CA certificate. Optionally - may contain intermediate CA - certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an - optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used to - validate transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -17646,8 +15851,8 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: @@ -17658,21 +15863,14 @@ spec: for keyless signing. type: object ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior by - Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed Certificate - Timestamp (SCT) log to check - for a certificate timestamp. - Default is false. Set to true - if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -17680,15 +15878,10 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the - root CA certificate. Optionally - may contain intermediate CA - certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -17696,23 +15889,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an - optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used to - validate transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -17722,10 +15910,9 @@ spec: type: string type: object roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, the - system roots are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -17738,21 +15925,14 @@ spec: public keys. properties: ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior by - Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed Certificate - Timestamp (SCT) log to check - for a certificate timestamp. - Default is false. Set to true - if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -17760,61 +15940,41 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the - root CA certificate. Optionally - may contain intermediate CA - certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI - to the public key stored in a Key - Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable reference - to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format "k8s:///". - The named Secret must specify a - key `cosign.pub` containing the - public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an - optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used to - validate transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -17849,12 +16009,9 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository will - override other OCI image repository - locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -17864,13 +16021,11 @@ spec: description: Deprecated. Use ImageReferences instead. type: string imageReferences: - description: 'ImageReferences is a list of matching - image reference patterns. At least one pattern in - the list must match the image for the rule to apply. - Each image reference consists of a registry address - (defaults to docker.io), repository, image, and - tag (defaults to latest). Wildcards (''*'' and ''?'') - are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' + description: |- + ImageReferences is a list of matching image reference patterns. At least one pattern in the + list must match the image for the rule to apply. Each image reference consists of a registry + address (defaults to docker.io), repository, image, and tag (defaults to latest). + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -17883,10 +16038,9 @@ spec: access to a registry. type: boolean providers: - description: 'Providers specifies a list of OCI - Registry names, whose authentication providers - are provided. It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers @@ -17900,9 +16054,9 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets - that are provided for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array @@ -17915,16 +16069,15 @@ spec: type: string mutateDigest: default: true - description: MutateDigest enables replacement of image - tags with digests. Defaults to true. + description: |- + MutateDigest enables replacement of image tags with digests. + Defaults to true. type: boolean repository: - description: Repository is an optional alternate OCI - repository to use for image signatures and attestations - that match this rule. If specified Repository will - override the default OCI image repository configured - for the installation. The repository can also be - overridden per Attestor or Attestation. + description: |- + Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule. + If specified Repository will override the default OCI image repository configured for the installation. + The repository can also be overridden per Attestor or Attestation. type: string required: default: true @@ -17939,9 +16092,9 @@ spec: description: Deprecated. Use KeylessAttestor instead. type: string type: - description: Type specifies the method of signature - validation. The allowed options are Cosign and Notary. - By default Cosign is used if a type is not specified. + description: |- + Type specifies the method of signature validation. The allowed options + are Cosign and Notary. By default Cosign is used if a type is not specified. enum: - Cosign - Notary @@ -17966,42 +16119,42 @@ spec: conditions: items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -18015,11 +16168,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -18035,8 +16189,9 @@ spec: description: Deprecated in favor of Conditions type: boolean rulecount: - description: RuleCountStatus contains four variables which describes - counts for validate, generate, mutate and verify images rules + description: |- + RuleCountStatus contains four variables which describes counts for + validate, generate, mutate and verify images rules properties: generate: description: Count for generate rules in policy @@ -18064,10 +16219,9 @@ spec: policy is generated from the policy or not type: boolean message: - description: Message is a human readable message indicating details - about the generation of validating admission policy It is an - empty string when validating admission policy is successfully - generated. + description: |- + Message is a human readable message indicating details about the generation of validating admission policy + It is an empty string when validating admission policy is successfully generated. type: string required: - generated diff --git a/config/crds/kyverno.io_policyexceptions.yaml b/config/crds/kyverno.io_policyexceptions.yaml index a27e39eabd4a..d86b22970492 100644 --- a/config/crds/kyverno.io_policyexceptions.yaml +++ b/config/crds/kyverno.io_policyexceptions.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: policyexceptions.kyverno.io spec: group: kyverno.io @@ -26,14 +26,19 @@ spec: policies. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -41,11 +46,10 @@ spec: description: Spec declares policy exception behaviors. properties: background: - description: Background controls if exceptions are applied to existing - policies during a background scan. Optional. Default value is "true". - The value must be set to "false" if the policy rule uses variables - that are only available in the admission review request (e.g. user - name). + description: |- + Background controls if exceptions are applied to existing policies during a background scan. + Optional. Default value is "true". The value must be set to "false" if the policy rule + uses variables that are only available in the admission review request (e.g. user name). type: boolean exceptions: description: Exceptions is a list policy/rules to be excluded @@ -53,9 +57,10 @@ spec: description: Exception stores infos about a policy and rules properties: policyName: - description: PolicyName identifies the policy to which the exception - is applied. The policy name uses the format / - unless it references a ClusterPolicy. + description: |- + PolicyName identifies the policy to which the exception is applied. + The policy name uses the format / unless it + references a ClusterPolicy. type: string ruleNames: description: RuleNames identifies the rules to which the exception @@ -91,11 +96,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -103,52 +107,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -160,19 +161,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -192,38 +191,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -235,12 +231,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -255,32 +249,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -309,11 +299,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -321,52 +310,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -378,19 +364,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -410,38 +394,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -453,12 +434,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -473,32 +452,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -525,14 +500,19 @@ spec: policies. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -540,11 +520,10 @@ spec: description: Spec declares policy exception behaviors. properties: background: - description: Background controls if exceptions are applied to existing - policies during a background scan. Optional. Default value is "true". - The value must be set to "false" if the policy rule uses variables - that are only available in the admission review request (e.g. user - name). + description: |- + Background controls if exceptions are applied to existing policies during a background scan. + Optional. Default value is "true". The value must be set to "false" if the policy rule + uses variables that are only available in the admission review request (e.g. user name). type: boolean exceptions: description: Exceptions is a list policy/rules to be excluded @@ -552,9 +531,10 @@ spec: description: Exception stores infos about a policy and rules properties: policyName: - description: PolicyName identifies the policy to which the exception - is applied. The policy name uses the format / - unless it references a ClusterPolicy. + description: |- + PolicyName identifies the policy to which the exception is applied. + The policy name uses the format / unless it + references a ClusterPolicy. type: string ruleNames: description: RuleNames identifies the rules to which the exception @@ -590,11 +570,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -602,52 +581,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -659,19 +635,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -691,38 +665,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -734,12 +705,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -754,32 +723,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -808,11 +773,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -820,52 +784,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -877,19 +838,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -909,38 +868,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -952,12 +908,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -972,32 +926,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind diff --git a/config/crds/kyverno.io_updaterequests.yaml b/config/crds/kyverno.io_updaterequests.yaml index c1ff4500e2a6..470bc5d2ceeb 100644 --- a/config/crds/kyverno.io_updaterequests.yaml +++ b/config/crds/kyverno.io_updaterequests.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: updaterequests.kyverno.io spec: group: kyverno.io @@ -47,14 +47,19 @@ spec: in background. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -73,9 +78,9 @@ spec: for the admission request. properties: dryRun: - description: DryRun indicates that modifications will - definitely not be persisted for this request. Defaults - to false. + description: |- + DryRun indicates that modifications will definitely not be persisted for this request. + Defaults to false. type: boolean kind: description: Kind is the fully-qualified type of object @@ -93,10 +98,9 @@ spec: - version type: object name: - description: Name is the name of the object as presented - in the request. On a CREATE operation, the client may - omit name and rely on the server to generate the name. If - that is the case, this field will contain an empty string. + description: |- + Name is the name of the object as presented in the request. On a CREATE operation, the client may omit name and + rely on the server to generate the name. If that is the case, this field will contain an empty string. type: string namespace: description: Namespace is the namespace associated with @@ -112,38 +116,33 @@ spec: type: object x-kubernetes-preserve-unknown-fields: true operation: - description: Operation is the operation being performed. - This may be different than the operation requested. - e.g. a patch can result in either a CREATE or UPDATE - Operation. + description: |- + Operation is the operation being performed. This may be different than the operation + requested. e.g. a patch can result in either a CREATE or UPDATE Operation. type: string options: - description: Options is the operation option structure - of the operation being performed. e.g. `meta.k8s.io/v1.DeleteOptions` - or `meta.k8s.io/v1.CreateOptions`. This may be different - than the options the caller provided. e.g. for a patch - request the performed Operation might be a CREATE, in - which case the Options will a `meta.k8s.io/v1.CreateOptions` - even though the caller provided `meta.k8s.io/v1.PatchOptions`. + description: |- + Options is the operation option structure of the operation being performed. + e.g. `meta.k8s.io/v1.DeleteOptions` or `meta.k8s.io/v1.CreateOptions`. This may be + different than the options the caller provided. e.g. for a patch request the performed + Operation might be a CREATE, in which case the Options will a + `meta.k8s.io/v1.CreateOptions` even though the caller provided `meta.k8s.io/v1.PatchOptions`. type: object x-kubernetes-preserve-unknown-fields: true requestKind: - description: "RequestKind is the fully-qualified type - of the original API request (for example, v1.Pod or - autoscaling.v1.Scale). If this is specified and differs - from the value in \"kind\", an equivalent match and - conversion was performed. \n For example, if deployments - can be modified via apps/v1 and apps/v1beta1, and a - webhook registered a rule of `apiGroups:[\"apps\"], - apiVersions:[\"v1\"], resources: [\"deployments\"]` - and `matchPolicy: Equivalent`, an API request to apps/v1beta1 - deployments would be converted and sent to the webhook - with `kind: {group:\"apps\", version:\"v1\", kind:\"Deployment\"}` - (matching the rule the webhook registered for), and - `requestKind: {group:\"apps\", version:\"v1beta1\", - kind:\"Deployment\"}` (indicating the kind of the original - API request). \n See documentation for the \"matchPolicy\" - field in the webhook configuration type for more details." + description: |- + RequestKind is the fully-qualified type of the original API request (for example, v1.Pod or autoscaling.v1.Scale). + If this is specified and differs from the value in "kind", an equivalent match and conversion was performed. + + + For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of + `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]` and `matchPolicy: Equivalent`, + an API request to apps/v1beta1 deployments would be converted and sent to the webhook + with `kind: {group:"apps", version:"v1", kind:"Deployment"}` (matching the rule the webhook registered for), + and `requestKind: {group:"apps", version:"v1beta1", kind:"Deployment"}` (indicating the kind of the original API request). + + + See documentation for the "matchPolicy" field in the webhook configuration type for more details. properties: group: type: string @@ -157,22 +156,19 @@ spec: - version type: object requestResource: - description: "RequestResource is the fully-qualified resource - of the original API request (for example, v1.pods). - If this is specified and differs from the value in \"resource\", - an equivalent match and conversion was performed. \n - For example, if deployments can be modified via apps/v1 - and apps/v1beta1, and a webhook registered a rule of - `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: - [\"deployments\"]` and `matchPolicy: Equivalent`, an - API request to apps/v1beta1 deployments would be converted - and sent to the webhook with `resource: {group:\"apps\", - version:\"v1\", resource:\"deployments\"}` (matching - the resource the webhook registered for), and `requestResource: - {group:\"apps\", version:\"v1beta1\", resource:\"deployments\"}` - (indicating the resource of the original API request). - \n See documentation for the \"matchPolicy\" field in - the webhook configuration type." + description: |- + RequestResource is the fully-qualified resource of the original API request (for example, v1.pods). + If this is specified and differs from the value in "resource", an equivalent match and conversion was performed. + + + For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of + `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]` and `matchPolicy: Equivalent`, + an API request to apps/v1beta1 deployments would be converted and sent to the webhook + with `resource: {group:"apps", version:"v1", resource:"deployments"}` (matching the resource the webhook registered for), + and `requestResource: {group:"apps", version:"v1beta1", resource:"deployments"}` (indicating the resource of the original API request). + + + See documentation for the "matchPolicy" field in the webhook configuration type. properties: group: type: string @@ -186,12 +182,10 @@ spec: - version type: object requestSubResource: - description: RequestSubResource is the name of the subresource - of the original API request, if any (for example, "status" - or "scale") If this is specified and differs from the - value in "subResource", an equivalent match and conversion - was performed. See documentation for the "matchPolicy" - field in the webhook configuration type. + description: |- + RequestSubResource is the name of the subresource of the original API request, if any (for example, "status" or "scale") + If this is specified and differs from the value in "subResource", an equivalent match and conversion was performed. + See documentation for the "matchPolicy" field in the webhook configuration type. type: string resource: description: Resource is the fully-qualified resource @@ -213,14 +207,11 @@ spec: if any (for example, "status" or "scale") type: string uid: - description: UID is an identifier for the individual request/response. - It allows us to distinguish instances of requests which - are otherwise identical (parallel requests, requests - when earlier requests did not modify etc) The UID is - meant to track the round trip (request/response) between - the KAS and the WebHook, not the user request. It is - suitable for correlating log entries between the webhook - and apiserver, for either auditing or debugging. + description: |- + UID is an identifier for the individual request/response. It allows us to distinguish instances of requests which are + otherwise identical (parallel requests, requests when earlier requests did not modify etc) + The UID is meant to track the round trip (request/response) between the KAS and the WebHook, not the user request. + It is suitable for correlating log entries between the webhook and apiserver, for either auditing or debugging. type: string userInfo: description: UserInfo is information about the requesting @@ -243,10 +234,10 @@ spec: type: string type: array uid: - description: A unique value that identifies this user - across time. If this user is deleted and another - user by the same name is added, they will have different - UIDs. + description: |- + A unique value that identifies this user across time. If this user is + deleted and another user by the same name is added, they will have + different UIDs. type: string username: description: The name that uniquely identifies this @@ -302,10 +293,10 @@ spec: type: string type: array uid: - description: A unique value that identifies this user - across time. If this user is deleted and another user - by the same name is added, they will have different - UIDs. + description: |- + A unique value that identifies this user across time. If this user is + deleted and another user by the same name is added, they will have + different UIDs. type: string username: description: The name that uniquely identifies this user @@ -351,8 +342,9 @@ spec: description: Rule is the associate rule name of the current UR. type: string synchronize: - description: Synchronize represents the sync behavior of the corresponding - rule Optional. Defaults to "false" if not specified. + description: |- + Synchronize represents the sync behavior of the corresponding rule + Optional. Defaults to "false" if not specified. type: boolean required: - context @@ -365,8 +357,9 @@ spec: description: Status contains statistics related to update request. properties: generatedResources: - description: This will track the resources that are updated by the - generate Policy. Will be used during clean up resources. + description: |- + This will track the resources that are updated by the generate Policy. + Will be used during clean up resources. items: properties: apiVersion: diff --git a/config/crds/wgpolicyk8s.io_clusterpolicyreports.yaml b/config/crds/wgpolicyk8s.io_clusterpolicyreports.yaml index 18c28825aae4..d6fed25c280e 100644 --- a/config/crds/wgpolicyk8s.io_clusterpolicyreports.yaml +++ b/config/crds/wgpolicyk8s.io_clusterpolicyreports.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: clusterpolicyreports.wgpolicyk8s.io spec: group: wgpolicyk8s.io @@ -48,14 +48,19 @@ spec: API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -82,35 +87,35 @@ spec: policy rule type: object resourceSelector: - description: SubjectSelector is an optional label selector for checked - Kubernetes resources. For example, a policy result may apply to - all pods that match a label. Either a Subject or a SubjectSelector - can be specified. If neither are provided, the result is assumed - to be for the policy report scope. + description: |- + SubjectSelector is an optional label selector for checked Kubernetes resources. + For example, a policy result may apply to all pods that match a label. + Either a Subject or a SubjectSelector can be specified. + If neither are provided, the result is assumed to be for the policy report scope. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that - contains values, a key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the - operator is In or NotIn, the values array must be non-empty. - If the operator is Exists or DoesNotExist, the values - array must be empty. This array is replaced during a - strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -122,11 +127,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -134,63 +138,63 @@ spec: description: Subjects is an optional reference to the checked Kubernetes resources items: - description: "ObjectReference contains enough information to let - you inspect or modify the referred object. --- New uses of this - type are discouraged because of difficulty describing its usage - when embedded in APIs. 1. Ignored fields. It includes many - fields which are not generally honored. For instance, ResourceVersion - and FieldPath are both very rarely valid in actual usage. 2. - Invalid usage help. It is impossible to add specific help for - individual usage. In most embedded usages, there are particular - restrictions like, \"must refer only to types A and B\" or \"UID - not honored\" or \"name must be restricted\". Those cannot be - well described when embedded. 3. Inconsistent validation. Because - the usages are different, the validation rules are different - by usage, which makes it hard for users to predict what will - happen. 4. The fields are both imprecise and overly precise. - \ Kind is not a precise mapping to a URL. This can produce ambiguity - during interpretation and require a REST mapping. In most cases, - the dependency is on the group,resource tuple and the version - of the actual struct is irrelevant. 5. We cannot easily change - it. Because this type is embedded in many locations, updates - to this type will affect numerous schemas. Don't make new APIs - embed an underspecified API type they do not control. \n Instead - of using this type, create a locally provided and used type - that is well-focused on your reference. For example, ServiceReferences - for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 - ." + description: |- + ObjectReference contains enough information to let you inspect or modify the referred object. + --- + New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. + 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. + 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular + restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". + Those cannot be well described when embedded. + 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. + 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity + during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple + and the version of the actual struct is irrelevant. + 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type + will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control. + + + Instead of using this type, create a locally provided and used type that is well-focused on your reference. + For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 . properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead - of an entire object, this string should contain a valid - JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within - a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" - (container with index 2 in this pod). This syntax is chosen - only to have some well-defined way of referencing a part - of an object. TODO: this design is not final and this field - is subject to change in the future.' + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + TODO: this design is not final and this field is subject to change in the future. type: string kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ type: string resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency type: string uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids type: string type: object x-kubernetes-map-type: atomic @@ -228,15 +232,16 @@ spec: description: Timestamp indicates the time the result was found properties: nanos: - description: Non-negative fractions of a second at nanosecond - resolution. Negative second values with fractions must still - have non-negative nanos values that count forward in time. - Must be from 0 to 999,999,999 inclusive. This field may be - limited in precision depending on context. + description: |- + Non-negative fractions of a second at nanosecond resolution. Negative + second values with fractions must still have non-negative nanos values + that count forward in time. Must be from 0 to 999,999,999 + inclusive. This field may be limited in precision depending on context. format: int32 type: integer seconds: - description: Represents seconds of UTC time since Unix epoch + description: |- + Represents seconds of UTC time since Unix epoch 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to 9999-12-31T23:59:59Z inclusive. format: int64 @@ -257,61 +262,71 @@ spec: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead of an entire - object, this string should contain a valid JSON/Go field access - statement, such as desiredState.manifest.containers[2]. For example, - if the object reference is to a container within a pod, this would - take on a value like: "spec.containers{name}" (where "name" refers - to the name of the container that triggered the event) or if no - container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined - way of referencing a part of an object. TODO: this design is not - final and this field is subject to change in the future.' + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + TODO: this design is not final and this field is subject to change in the future. type: string kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ type: string resourceVersion: - description: 'Specific resourceVersion to which this reference is - made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency type: string uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids type: string type: object x-kubernetes-map-type: atomic scopeSelector: - description: ScopeSelector is an optional selector for multiple scopes - (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector - should be specified. + description: |- + ScopeSelector is an optional selector for multiple scopes (e.g. Pods). + Either one of, or none of, but not both of, Scope or ScopeSelector should be specified. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains - values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set - of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator - is In or NotIn, the values array must be non-empty. If the - operator is Exists or DoesNotExist, the values array must - be empty. This array is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -323,10 +338,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} - in the matchLabels map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", and the values array - contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic diff --git a/config/crds/wgpolicyk8s.io_policyreports.yaml b/config/crds/wgpolicyk8s.io_policyreports.yaml index ffcb151420aa..6289f430359c 100644 --- a/config/crds/wgpolicyk8s.io_policyreports.yaml +++ b/config/crds/wgpolicyk8s.io_policyreports.yaml @@ -3,7 +3,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.12.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: policyreports.wgpolicyk8s.io spec: group: wgpolicyk8s.io @@ -47,14 +47,19 @@ spec: description: PolicyReport is the Schema for the policyreports API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -81,35 +86,35 @@ spec: policy rule type: object resourceSelector: - description: SubjectSelector is an optional label selector for checked - Kubernetes resources. For example, a policy result may apply to - all pods that match a label. Either a Subject or a SubjectSelector - can be specified. If neither are provided, the result is assumed - to be for the policy report scope. + description: |- + SubjectSelector is an optional label selector for checked Kubernetes resources. + For example, a policy result may apply to all pods that match a label. + Either a Subject or a SubjectSelector can be specified. + If neither are provided, the result is assumed to be for the policy report scope. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that - contains values, a key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the - operator is In or NotIn, the values array must be non-empty. - If the operator is Exists or DoesNotExist, the values - array must be empty. This array is replaced during a - strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -121,11 +126,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -133,63 +137,63 @@ spec: description: Subjects is an optional reference to the checked Kubernetes resources items: - description: "ObjectReference contains enough information to let - you inspect or modify the referred object. --- New uses of this - type are discouraged because of difficulty describing its usage - when embedded in APIs. 1. Ignored fields. It includes many - fields which are not generally honored. For instance, ResourceVersion - and FieldPath are both very rarely valid in actual usage. 2. - Invalid usage help. It is impossible to add specific help for - individual usage. In most embedded usages, there are particular - restrictions like, \"must refer only to types A and B\" or \"UID - not honored\" or \"name must be restricted\". Those cannot be - well described when embedded. 3. Inconsistent validation. Because - the usages are different, the validation rules are different - by usage, which makes it hard for users to predict what will - happen. 4. The fields are both imprecise and overly precise. - \ Kind is not a precise mapping to a URL. This can produce ambiguity - during interpretation and require a REST mapping. In most cases, - the dependency is on the group,resource tuple and the version - of the actual struct is irrelevant. 5. We cannot easily change - it. Because this type is embedded in many locations, updates - to this type will affect numerous schemas. Don't make new APIs - embed an underspecified API type they do not control. \n Instead - of using this type, create a locally provided and used type - that is well-focused on your reference. For example, ServiceReferences - for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 - ." + description: |- + ObjectReference contains enough information to let you inspect or modify the referred object. + --- + New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. + 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. + 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular + restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". + Those cannot be well described when embedded. + 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. + 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity + during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple + and the version of the actual struct is irrelevant. + 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type + will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control. + + + Instead of using this type, create a locally provided and used type that is well-focused on your reference. + For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 . properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead - of an entire object, this string should contain a valid - JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within - a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" - (container with index 2 in this pod). This syntax is chosen - only to have some well-defined way of referencing a part - of an object. TODO: this design is not final and this field - is subject to change in the future.' + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + TODO: this design is not final and this field is subject to change in the future. type: string kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ type: string resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency type: string uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids type: string type: object x-kubernetes-map-type: atomic @@ -227,15 +231,16 @@ spec: description: Timestamp indicates the time the result was found properties: nanos: - description: Non-negative fractions of a second at nanosecond - resolution. Negative second values with fractions must still - have non-negative nanos values that count forward in time. - Must be from 0 to 999,999,999 inclusive. This field may be - limited in precision depending on context. + description: |- + Non-negative fractions of a second at nanosecond resolution. Negative + second values with fractions must still have non-negative nanos values + that count forward in time. Must be from 0 to 999,999,999 + inclusive. This field may be limited in precision depending on context. format: int32 type: integer seconds: - description: Represents seconds of UTC time since Unix epoch + description: |- + Represents seconds of UTC time since Unix epoch 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to 9999-12-31T23:59:59Z inclusive. format: int64 @@ -256,61 +261,71 @@ spec: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead of an entire - object, this string should contain a valid JSON/Go field access - statement, such as desiredState.manifest.containers[2]. For example, - if the object reference is to a container within a pod, this would - take on a value like: "spec.containers{name}" (where "name" refers - to the name of the container that triggered the event) or if no - container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined - way of referencing a part of an object. TODO: this design is not - final and this field is subject to change in the future.' + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + TODO: this design is not final and this field is subject to change in the future. type: string kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ type: string resourceVersion: - description: 'Specific resourceVersion to which this reference is - made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency type: string uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids type: string type: object x-kubernetes-map-type: atomic scopeSelector: - description: ScopeSelector is an optional selector for multiple scopes - (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector - should be specified. + description: |- + ScopeSelector is an optional selector for multiple scopes (e.g. Pods). + Either one of, or none of, but not both of, Scope or ScopeSelector should be specified. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains - values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set - of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator - is In or NotIn, the values array must be non-empty. If the - operator is Exists or DoesNotExist, the values array must - be empty. This array is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -322,10 +337,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} - in the matchLabels map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", and the values array - contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic diff --git a/config/install-latest-testing.yaml b/config/install-latest-testing.yaml index 4276232ace0b..243943b22885 100644 --- a/config/install-latest-testing.yaml +++ b/config/install-latest-testing.yaml @@ -215,7 +215,7 @@ metadata: app.kubernetes.io/version: 3.1.4 helm.sh/chart: crds-3.1.4 annotations: - controller-gen.kubebuilder.io/version: v0.12.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: admissionreports.kyverno.io spec: group: kyverno.io @@ -265,14 +265,19 @@ spec: description: AdmissionReport is the Schema for the AdmissionReports API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -286,25 +291,33 @@ spec: description: API version of the referent. type: string blockOwnerDeletion: - description: If true, AND if the owner has the "foregroundDeletion" - finalizer, then the owner cannot be deleted from the key-value - store until this reference is removed. See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion - for how the garbage collector interacts with this field and - enforces the foreground deletion. Defaults to false. To set - this field, a user needs "delete" permission of the owner, otherwise - 422 (Unprocessable Entity) will be returned. + description: |- + If true, AND if the owner has the "foregroundDeletion" finalizer, then + the owner cannot be deleted from the key-value store until this + reference is removed. + See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion + for how the garbage collector interacts with this field and enforces the foreground deletion. + Defaults to false. + To set this field, a user needs "delete" permission of the owner, + otherwise 422 (Unprocessable Entity) will be returned. type: boolean controller: description: If true, this reference points to the managing controller. type: boolean kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names type: string uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids' + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids type: string required: - apiVersion @@ -336,35 +349,35 @@ spec: the policy rule type: object resourceSelector: - description: SubjectSelector is an optional label selector for - checked Kubernetes resources. For example, a policy result - may apply to all pods that match a label. Either a Subject - or a SubjectSelector can be specified. If neither are provided, - the result is assumed to be for the policy report scope. + description: |- + SubjectSelector is an optional label selector for checked Kubernetes resources. + For example, a policy result may apply to all pods that match a label. + Either a Subject or a SubjectSelector can be specified. + If neither are provided, the result is assumed to be for the policy report scope. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. - If the operator is In or NotIn, the values array - must be non-empty. If the operator is Exists or - DoesNotExist, the values array must be empty. This - array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -376,11 +389,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -388,66 +400,63 @@ spec: description: Subjects is an optional reference to the checked Kubernetes resources items: - description: "ObjectReference contains enough information - to let you inspect or modify the referred object. --- New - uses of this type are discouraged because of difficulty - describing its usage when embedded in APIs. 1. Ignored fields. - \ It includes many fields which are not generally honored. - \ For instance, ResourceVersion and FieldPath are both very - rarely valid in actual usage. 2. Invalid usage help. It - is impossible to add specific help for individual usage. - \ In most embedded usages, there are particular restrictions - like, \"must refer only to types A and B\" or \"UID not - honored\" or \"name must be restricted\". Those cannot be - well described when embedded. 3. Inconsistent validation. - \ Because the usages are different, the validation rules - are different by usage, which makes it hard for users to - predict what will happen. 4. The fields are both imprecise - and overly precise. Kind is not a precise mapping to a - URL. This can produce ambiguity during interpretation and - require a REST mapping. In most cases, the dependency is - on the group,resource tuple and the version of the actual - struct is irrelevant. 5. We cannot easily change it. Because - this type is embedded in many locations, updates to this - type will affect numerous schemas. Don't make new APIs - embed an underspecified API type they do not control. \n - Instead of using this type, create a locally provided and - used type that is well-focused on your reference. For example, - ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 - ." + description: |- + ObjectReference contains enough information to let you inspect or modify the referred object. + --- + New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. + 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. + 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular + restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". + Those cannot be well described when embedded. + 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. + 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity + during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple + and the version of the actual struct is irrelevant. + 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type + will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control. + + + Instead of using this type, create a locally provided and used type that is well-focused on your reference. + For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 . properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead - of an entire object, this string should contain a valid - JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container - within a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that - triggered the event) or if no container name is specified - "spec.containers[2]" (container with index 2 in this - pod). This syntax is chosen only to have some well-defined - way of referencing a part of an object. TODO: this design - is not final and this field is subject to change in - the future.' + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + TODO: this design is not final and this field is subject to change in the future. type: string kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ type: string resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency type: string uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids type: string type: object x-kubernetes-map-type: atomic @@ -486,17 +495,18 @@ spec: description: Timestamp indicates the time the result was found properties: nanos: - description: Non-negative fractions of a second at nanosecond - resolution. Negative second values with fractions must - still have non-negative nanos values that count forward - in time. Must be from 0 to 999,999,999 inclusive. This - field may be limited in precision depending on context. + description: |- + Non-negative fractions of a second at nanosecond resolution. Negative + second values with fractions must still have non-negative nanos values + that count forward in time. Must be from 0 to 999,999,999 + inclusive. This field may be limited in precision depending on context. format: int32 type: integer seconds: - description: Represents seconds of UTC time since Unix epoch - 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z - to 9999-12-31T23:59:59Z inclusive. + description: |- + Represents seconds of UTC time since Unix epoch + 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to + 9999-12-31T23:59:59Z inclusive. format: int64 type: integer required: @@ -552,7 +562,7 @@ metadata: app.kubernetes.io/version: 3.1.4 helm.sh/chart: crds-3.1.4 annotations: - controller-gen.kubebuilder.io/version: v0.12.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: backgroundscanreports.kyverno.io spec: group: kyverno.io @@ -606,14 +616,19 @@ spec: API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -642,35 +657,35 @@ spec: the policy rule type: object resourceSelector: - description: SubjectSelector is an optional label selector for - checked Kubernetes resources. For example, a policy result - may apply to all pods that match a label. Either a Subject - or a SubjectSelector can be specified. If neither are provided, - the result is assumed to be for the policy report scope. + description: |- + SubjectSelector is an optional label selector for checked Kubernetes resources. + For example, a policy result may apply to all pods that match a label. + Either a Subject or a SubjectSelector can be specified. + If neither are provided, the result is assumed to be for the policy report scope. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. - If the operator is In or NotIn, the values array - must be non-empty. If the operator is Exists or - DoesNotExist, the values array must be empty. This - array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -682,11 +697,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -694,66 +708,63 @@ spec: description: Subjects is an optional reference to the checked Kubernetes resources items: - description: "ObjectReference contains enough information - to let you inspect or modify the referred object. --- New - uses of this type are discouraged because of difficulty - describing its usage when embedded in APIs. 1. Ignored fields. - \ It includes many fields which are not generally honored. - \ For instance, ResourceVersion and FieldPath are both very - rarely valid in actual usage. 2. Invalid usage help. It - is impossible to add specific help for individual usage. - \ In most embedded usages, there are particular restrictions - like, \"must refer only to types A and B\" or \"UID not - honored\" or \"name must be restricted\". Those cannot be - well described when embedded. 3. Inconsistent validation. - \ Because the usages are different, the validation rules - are different by usage, which makes it hard for users to - predict what will happen. 4. The fields are both imprecise - and overly precise. Kind is not a precise mapping to a - URL. This can produce ambiguity during interpretation and - require a REST mapping. In most cases, the dependency is - on the group,resource tuple and the version of the actual - struct is irrelevant. 5. We cannot easily change it. Because - this type is embedded in many locations, updates to this - type will affect numerous schemas. Don't make new APIs - embed an underspecified API type they do not control. \n - Instead of using this type, create a locally provided and - used type that is well-focused on your reference. For example, - ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 - ." + description: |- + ObjectReference contains enough information to let you inspect or modify the referred object. + --- + New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. + 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. + 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular + restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". + Those cannot be well described when embedded. + 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. + 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity + during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple + and the version of the actual struct is irrelevant. + 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type + will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control. + + + Instead of using this type, create a locally provided and used type that is well-focused on your reference. + For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 . properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead - of an entire object, this string should contain a valid - JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container - within a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that - triggered the event) or if no container name is specified - "spec.containers[2]" (container with index 2 in this - pod). This syntax is chosen only to have some well-defined - way of referencing a part of an object. TODO: this design - is not final and this field is subject to change in - the future.' + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + TODO: this design is not final and this field is subject to change in the future. type: string kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ type: string resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency type: string uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids type: string type: object x-kubernetes-map-type: atomic @@ -792,17 +803,18 @@ spec: description: Timestamp indicates the time the result was found properties: nanos: - description: Non-negative fractions of a second at nanosecond - resolution. Negative second values with fractions must - still have non-negative nanos values that count forward - in time. Must be from 0 to 999,999,999 inclusive. This - field may be limited in precision depending on context. + description: |- + Non-negative fractions of a second at nanosecond resolution. Negative + second values with fractions must still have non-negative nanos values + that count forward in time. Must be from 0 to 999,999,999 + inclusive. This field may be limited in precision depending on context. format: int32 type: integer seconds: - description: Represents seconds of UTC time since Unix epoch - 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z - to 9999-12-31T23:59:59Z inclusive. + description: |- + Represents seconds of UTC time since Unix epoch + 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to + 9999-12-31T23:59:59Z inclusive. format: int64 type: integer required: @@ -856,7 +868,7 @@ metadata: app.kubernetes.io/version: 3.1.4 helm.sh/chart: crds-3.1.4 annotations: - controller-gen.kubebuilder.io/version: v0.12.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: cleanuppolicies.kyverno.io spec: group: kyverno.io @@ -885,14 +897,19 @@ spec: description: CleanupPolicy defines a rule for resource cleanup. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -904,10 +921,11 @@ spec: resources which will be cleaned up. properties: all: - description: AllConditions enable variable-based conditional rule - execution. This is useful for finer control of when an rule - is applied. A condition can reference object data using JMESPath - notation. Here, all of the conditions need to pass. + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass. items: properties: key: @@ -918,11 +936,11 @@ spec: description: Message is an optional display message type: string operator: - description: 'Operator is the conditional operation to perform. - Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -940,17 +958,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, or set of values. - The values can be fixed set or can be variables declared - using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based conditional rule - execution. This is useful for finer control of when an rule - is applied. A condition can reference object data using JMESPath - notation. Here, at least one of the conditions need to pass. + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass. items: properties: key: @@ -961,11 +980,11 @@ spec: description: Message is an optional display message type: string operator: - description: 'Operator is the conditional operation to perform. - Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -983,9 +1002,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, or set of values. - The values can be fixed set or can be variables declared - using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -994,13 +1013,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data sources to a rule - Context. Either a ConfigMap reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the Kubernetes API - server, or other JSON web service. The data returned is stored - in the context with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data sent to the server. @@ -1020,12 +1040,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the JSON response returned - from the server. For example a JMESPath of "items | length(@)" - applied to the API server response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across all - namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -1038,22 +1058,24 @@ spec: description: Service is an API call to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded CA bundle which - will be used to validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web service URL. A typical - form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to be used in the HTTP - GET or POST request to the Kubernetes API server (e.g. - "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used by the `kubectl - get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -1070,8 +1092,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests to an OCI/Docker - V2 registry to fetch image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials provides credentials @@ -1082,9 +1105,9 @@ spec: to a registry. type: boolean providers: - description: 'Providers specifies a list of OCI Registry - names, whose authentication providers are provided. - It can be of one of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers required. @@ -1097,21 +1120,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets that - are provided for credentials. Secrets must live in - the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the ImageData struct returned - as a result of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference to a container - image in the registry. Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -1124,13 +1149,14 @@ spec: variable that can be defined inline. properties: default: - description: Default is an optional arbitrary JSON object - that the variable may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath Expression - that can be used to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON object representable @@ -1140,10 +1166,10 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when cleanuppolicy should not - be applied. The exclude criteria can include resource information - (e.g. kind, name, namespace, labels) and admission review request - information like the name or role. + description: |- + ExcludeResources defines when cleanuppolicy should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. properties: all: description: All allows specifying resources which will be ANDed @@ -1164,11 +1190,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -1176,52 +1201,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1233,19 +1255,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -1265,38 +1285,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1308,12 +1325,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -1328,32 +1343,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -1382,11 +1393,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -1394,52 +1404,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1451,19 +1458,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -1483,38 +1488,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1526,12 +1528,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -1546,32 +1546,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -1583,10 +1579,11 @@ spec: type: array type: object match: - description: MatchResources defines when cleanuppolicy should be applied. - The match criteria can include resource information (e.g. kind, - name, namespace, labels) and admission review request information - like the user name or role. At least one kind is required. + description: |- + MatchResources defines when cleanuppolicy should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. + At least one kind is required. properties: all: description: All allows specifying resources which will be ANDed @@ -1607,11 +1604,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -1619,52 +1615,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1676,19 +1669,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -1708,38 +1699,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1751,12 +1739,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -1771,32 +1757,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -1825,11 +1807,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -1837,52 +1818,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1894,19 +1872,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -1926,38 +1902,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -1969,12 +1942,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -1989,32 +1960,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -2037,42 +2004,42 @@ spec: conditions: items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -2086,11 +2053,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -2126,14 +2094,19 @@ spec: description: CleanupPolicy defines a rule for resource cleanup. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -2145,10 +2118,11 @@ spec: resources which will be cleaned up. properties: all: - description: AllConditions enable variable-based conditional rule - execution. This is useful for finer control of when an rule - is applied. A condition can reference object data using JMESPath - notation. Here, all of the conditions need to pass. + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass. items: properties: key: @@ -2159,11 +2133,11 @@ spec: description: Message is an optional display message type: string operator: - description: 'Operator is the conditional operation to perform. - Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -2181,17 +2155,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, or set of values. - The values can be fixed set or can be variables declared - using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based conditional rule - execution. This is useful for finer control of when an rule - is applied. A condition can reference object data using JMESPath - notation. Here, at least one of the conditions need to pass. + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass. items: properties: key: @@ -2202,11 +2177,11 @@ spec: description: Message is an optional display message type: string operator: - description: 'Operator is the conditional operation to perform. - Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -2224,9 +2199,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, or set of values. - The values can be fixed set or can be variables declared - using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -2235,13 +2210,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data sources to a rule - Context. Either a ConfigMap reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the Kubernetes API - server, or other JSON web service. The data returned is stored - in the context with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data sent to the server. @@ -2261,12 +2237,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the JSON response returned - from the server. For example a JMESPath of "items | length(@)" - applied to the API server response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across all - namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -2279,22 +2255,24 @@ spec: description: Service is an API call to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded CA bundle which - will be used to validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web service URL. A typical - form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to be used in the HTTP - GET or POST request to the Kubernetes API server (e.g. - "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used by the `kubectl - get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -2311,8 +2289,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests to an OCI/Docker - V2 registry to fetch image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials provides credentials @@ -2323,9 +2302,9 @@ spec: to a registry. type: boolean providers: - description: 'Providers specifies a list of OCI Registry - names, whose authentication providers are provided. - It can be of one of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers required. @@ -2338,21 +2317,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets that - are provided for credentials. Secrets must live in - the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the ImageData struct returned - as a result of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference to a container - image in the registry. Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -2365,13 +2346,14 @@ spec: variable that can be defined inline. properties: default: - description: Default is an optional arbitrary JSON object - that the variable may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath Expression - that can be used to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON object representable @@ -2381,10 +2363,10 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when cleanuppolicy should not - be applied. The exclude criteria can include resource information - (e.g. kind, name, namespace, labels) and admission review request - information like the name or role. + description: |- + ExcludeResources defines when cleanuppolicy should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. properties: all: description: All allows specifying resources which will be ANDed @@ -2405,11 +2387,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -2417,52 +2398,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -2474,19 +2452,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -2506,38 +2482,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -2549,12 +2522,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -2569,32 +2540,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -2623,11 +2590,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -2635,52 +2601,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -2692,19 +2655,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -2724,38 +2685,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -2767,12 +2725,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -2787,32 +2743,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -2824,10 +2776,11 @@ spec: type: array type: object match: - description: MatchResources defines when cleanuppolicy should be applied. - The match criteria can include resource information (e.g. kind, - name, namespace, labels) and admission review request information - like the user name or role. At least one kind is required. + description: |- + MatchResources defines when cleanuppolicy should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. + At least one kind is required. properties: all: description: All allows specifying resources which will be ANDed @@ -2848,11 +2801,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -2860,52 +2812,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -2917,19 +2866,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -2949,38 +2896,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -2992,12 +2936,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -3012,32 +2954,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -3066,11 +3004,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -3078,52 +3015,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -3135,19 +3069,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -3167,38 +3099,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -3210,12 +3139,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -3230,32 +3157,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -3278,42 +3201,42 @@ spec: conditions: items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -3327,11 +3250,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -3366,7 +3290,7 @@ metadata: app.kubernetes.io/version: 3.1.4 helm.sh/chart: crds-3.1.4 annotations: - controller-gen.kubebuilder.io/version: v0.12.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: clusteradmissionreports.kyverno.io spec: group: kyverno.io @@ -3417,14 +3341,19 @@ spec: API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -3438,25 +3367,33 @@ spec: description: API version of the referent. type: string blockOwnerDeletion: - description: If true, AND if the owner has the "foregroundDeletion" - finalizer, then the owner cannot be deleted from the key-value - store until this reference is removed. See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion - for how the garbage collector interacts with this field and - enforces the foreground deletion. Defaults to false. To set - this field, a user needs "delete" permission of the owner, otherwise - 422 (Unprocessable Entity) will be returned. + description: |- + If true, AND if the owner has the "foregroundDeletion" finalizer, then + the owner cannot be deleted from the key-value store until this + reference is removed. + See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion + for how the garbage collector interacts with this field and enforces the foreground deletion. + Defaults to false. + To set this field, a user needs "delete" permission of the owner, + otherwise 422 (Unprocessable Entity) will be returned. type: boolean controller: description: If true, this reference points to the managing controller. type: boolean kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#names type: string uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids' + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names#uids type: string required: - apiVersion @@ -3488,35 +3425,35 @@ spec: the policy rule type: object resourceSelector: - description: SubjectSelector is an optional label selector for - checked Kubernetes resources. For example, a policy result - may apply to all pods that match a label. Either a Subject - or a SubjectSelector can be specified. If neither are provided, - the result is assumed to be for the policy report scope. + description: |- + SubjectSelector is an optional label selector for checked Kubernetes resources. + For example, a policy result may apply to all pods that match a label. + Either a Subject or a SubjectSelector can be specified. + If neither are provided, the result is assumed to be for the policy report scope. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. - If the operator is In or NotIn, the values array - must be non-empty. If the operator is Exists or - DoesNotExist, the values array must be empty. This - array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -3528,11 +3465,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -3540,66 +3476,63 @@ spec: description: Subjects is an optional reference to the checked Kubernetes resources items: - description: "ObjectReference contains enough information - to let you inspect or modify the referred object. --- New - uses of this type are discouraged because of difficulty - describing its usage when embedded in APIs. 1. Ignored fields. - \ It includes many fields which are not generally honored. - \ For instance, ResourceVersion and FieldPath are both very - rarely valid in actual usage. 2. Invalid usage help. It - is impossible to add specific help for individual usage. - \ In most embedded usages, there are particular restrictions - like, \"must refer only to types A and B\" or \"UID not - honored\" or \"name must be restricted\". Those cannot be - well described when embedded. 3. Inconsistent validation. - \ Because the usages are different, the validation rules - are different by usage, which makes it hard for users to - predict what will happen. 4. The fields are both imprecise - and overly precise. Kind is not a precise mapping to a - URL. This can produce ambiguity during interpretation and - require a REST mapping. In most cases, the dependency is - on the group,resource tuple and the version of the actual - struct is irrelevant. 5. We cannot easily change it. Because - this type is embedded in many locations, updates to this - type will affect numerous schemas. Don't make new APIs - embed an underspecified API type they do not control. \n - Instead of using this type, create a locally provided and - used type that is well-focused on your reference. For example, - ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 - ." + description: |- + ObjectReference contains enough information to let you inspect or modify the referred object. + --- + New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. + 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. + 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular + restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". + Those cannot be well described when embedded. + 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. + 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity + during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple + and the version of the actual struct is irrelevant. + 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type + will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control. + + + Instead of using this type, create a locally provided and used type that is well-focused on your reference. + For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 . properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead - of an entire object, this string should contain a valid - JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container - within a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that - triggered the event) or if no container name is specified - "spec.containers[2]" (container with index 2 in this - pod). This syntax is chosen only to have some well-defined - way of referencing a part of an object. TODO: this design - is not final and this field is subject to change in - the future.' + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + TODO: this design is not final and this field is subject to change in the future. type: string kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ type: string resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency type: string uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids type: string type: object x-kubernetes-map-type: atomic @@ -3638,17 +3571,18 @@ spec: description: Timestamp indicates the time the result was found properties: nanos: - description: Non-negative fractions of a second at nanosecond - resolution. Negative second values with fractions must - still have non-negative nanos values that count forward - in time. Must be from 0 to 999,999,999 inclusive. This - field may be limited in precision depending on context. + description: |- + Non-negative fractions of a second at nanosecond resolution. Negative + second values with fractions must still have non-negative nanos values + that count forward in time. Must be from 0 to 999,999,999 + inclusive. This field may be limited in precision depending on context. format: int32 type: integer seconds: - description: Represents seconds of UTC time since Unix epoch - 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z - to 9999-12-31T23:59:59Z inclusive. + description: |- + Represents seconds of UTC time since Unix epoch + 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to + 9999-12-31T23:59:59Z inclusive. format: int64 type: integer required: @@ -3704,7 +3638,7 @@ metadata: app.kubernetes.io/version: 3.1.4 helm.sh/chart: crds-3.1.4 annotations: - controller-gen.kubebuilder.io/version: v0.12.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: clusterbackgroundscanreports.kyverno.io spec: group: kyverno.io @@ -3758,14 +3692,19 @@ spec: API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -3794,35 +3733,35 @@ spec: the policy rule type: object resourceSelector: - description: SubjectSelector is an optional label selector for - checked Kubernetes resources. For example, a policy result - may apply to all pods that match a label. Either a Subject - or a SubjectSelector can be specified. If neither are provided, - the result is assumed to be for the policy report scope. + description: |- + SubjectSelector is an optional label selector for checked Kubernetes resources. + For example, a policy result may apply to all pods that match a label. + Either a Subject or a SubjectSelector can be specified. + If neither are provided, the result is assumed to be for the policy report scope. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. - If the operator is In or NotIn, the values array - must be non-empty. If the operator is Exists or - DoesNotExist, the values array must be empty. This - array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -3834,11 +3773,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -3846,66 +3784,63 @@ spec: description: Subjects is an optional reference to the checked Kubernetes resources items: - description: "ObjectReference contains enough information - to let you inspect or modify the referred object. --- New - uses of this type are discouraged because of difficulty - describing its usage when embedded in APIs. 1. Ignored fields. - \ It includes many fields which are not generally honored. - \ For instance, ResourceVersion and FieldPath are both very - rarely valid in actual usage. 2. Invalid usage help. It - is impossible to add specific help for individual usage. - \ In most embedded usages, there are particular restrictions - like, \"must refer only to types A and B\" or \"UID not - honored\" or \"name must be restricted\". Those cannot be - well described when embedded. 3. Inconsistent validation. - \ Because the usages are different, the validation rules - are different by usage, which makes it hard for users to - predict what will happen. 4. The fields are both imprecise - and overly precise. Kind is not a precise mapping to a - URL. This can produce ambiguity during interpretation and - require a REST mapping. In most cases, the dependency is - on the group,resource tuple and the version of the actual - struct is irrelevant. 5. We cannot easily change it. Because - this type is embedded in many locations, updates to this - type will affect numerous schemas. Don't make new APIs - embed an underspecified API type they do not control. \n - Instead of using this type, create a locally provided and - used type that is well-focused on your reference. For example, - ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 - ." + description: |- + ObjectReference contains enough information to let you inspect or modify the referred object. + --- + New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. + 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. + 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular + restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". + Those cannot be well described when embedded. + 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. + 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity + during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple + and the version of the actual struct is irrelevant. + 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type + will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control. + + + Instead of using this type, create a locally provided and used type that is well-focused on your reference. + For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 . properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead - of an entire object, this string should contain a valid - JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container - within a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that - triggered the event) or if no container name is specified - "spec.containers[2]" (container with index 2 in this - pod). This syntax is chosen only to have some well-defined - way of referencing a part of an object. TODO: this design - is not final and this field is subject to change in - the future.' + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + TODO: this design is not final and this field is subject to change in the future. type: string kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ type: string resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency type: string uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids type: string type: object x-kubernetes-map-type: atomic @@ -3944,17 +3879,18 @@ spec: description: Timestamp indicates the time the result was found properties: nanos: - description: Non-negative fractions of a second at nanosecond - resolution. Negative second values with fractions must - still have non-negative nanos values that count forward - in time. Must be from 0 to 999,999,999 inclusive. This - field may be limited in precision depending on context. + description: |- + Non-negative fractions of a second at nanosecond resolution. Negative + second values with fractions must still have non-negative nanos values + that count forward in time. Must be from 0 to 999,999,999 + inclusive. This field may be limited in precision depending on context. format: int32 type: integer seconds: - description: Represents seconds of UTC time since Unix epoch - 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z - to 9999-12-31T23:59:59Z inclusive. + description: |- + Represents seconds of UTC time since Unix epoch + 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to + 9999-12-31T23:59:59Z inclusive. format: int64 type: integer required: @@ -4008,7 +3944,7 @@ metadata: app.kubernetes.io/version: 3.1.4 helm.sh/chart: crds-3.1.4 annotations: - controller-gen.kubebuilder.io/version: v0.12.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: clustercleanuppolicies.kyverno.io spec: group: kyverno.io @@ -4037,14 +3973,19 @@ spec: description: ClusterCleanupPolicy defines rule for resource cleanup. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -4056,10 +3997,11 @@ spec: resources which will be cleaned up. properties: all: - description: AllConditions enable variable-based conditional rule - execution. This is useful for finer control of when an rule - is applied. A condition can reference object data using JMESPath - notation. Here, all of the conditions need to pass. + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass. items: properties: key: @@ -4070,11 +4012,11 @@ spec: description: Message is an optional display message type: string operator: - description: 'Operator is the conditional operation to perform. - Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -4092,17 +4034,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, or set of values. - The values can be fixed set or can be variables declared - using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based conditional rule - execution. This is useful for finer control of when an rule - is applied. A condition can reference object data using JMESPath - notation. Here, at least one of the conditions need to pass. + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass. items: properties: key: @@ -4113,11 +4056,11 @@ spec: description: Message is an optional display message type: string operator: - description: 'Operator is the conditional operation to perform. - Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -4135,9 +4078,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, or set of values. - The values can be fixed set or can be variables declared - using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -4146,13 +4089,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data sources to a rule - Context. Either a ConfigMap reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the Kubernetes API - server, or other JSON web service. The data returned is stored - in the context with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data sent to the server. @@ -4172,12 +4116,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the JSON response returned - from the server. For example a JMESPath of "items | length(@)" - applied to the API server response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across all - namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -4190,22 +4134,24 @@ spec: description: Service is an API call to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded CA bundle which - will be used to validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web service URL. A typical - form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to be used in the HTTP - GET or POST request to the Kubernetes API server (e.g. - "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used by the `kubectl - get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -4222,8 +4168,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests to an OCI/Docker - V2 registry to fetch image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials provides credentials @@ -4234,9 +4181,9 @@ spec: to a registry. type: boolean providers: - description: 'Providers specifies a list of OCI Registry - names, whose authentication providers are provided. - It can be of one of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers required. @@ -4249,21 +4196,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets that - are provided for credentials. Secrets must live in - the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the ImageData struct returned - as a result of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference to a container - image in the registry. Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -4276,13 +4225,14 @@ spec: variable that can be defined inline. properties: default: - description: Default is an optional arbitrary JSON object - that the variable may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath Expression - that can be used to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON object representable @@ -4292,10 +4242,10 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when cleanuppolicy should not - be applied. The exclude criteria can include resource information - (e.g. kind, name, namespace, labels) and admission review request - information like the name or role. + description: |- + ExcludeResources defines when cleanuppolicy should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. properties: all: description: All allows specifying resources which will be ANDed @@ -4316,11 +4266,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -4328,52 +4277,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -4385,19 +4331,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -4417,38 +4361,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -4460,12 +4401,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -4480,32 +4419,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -4534,11 +4469,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -4546,52 +4480,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -4603,19 +4534,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -4635,38 +4564,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -4678,12 +4604,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -4698,32 +4622,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -4735,10 +4655,11 @@ spec: type: array type: object match: - description: MatchResources defines when cleanuppolicy should be applied. - The match criteria can include resource information (e.g. kind, - name, namespace, labels) and admission review request information - like the user name or role. At least one kind is required. + description: |- + MatchResources defines when cleanuppolicy should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. + At least one kind is required. properties: all: description: All allows specifying resources which will be ANDed @@ -4759,11 +4680,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -4771,52 +4691,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -4828,19 +4745,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -4860,38 +4775,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -4903,12 +4815,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -4923,32 +4833,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -4977,11 +4883,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -4989,52 +4894,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -5046,19 +4948,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -5078,38 +4978,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -5121,12 +5018,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -5141,32 +5036,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -5189,42 +5080,42 @@ spec: conditions: items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -5238,11 +5129,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -5278,14 +5170,19 @@ spec: description: ClusterCleanupPolicy defines rule for resource cleanup. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -5297,10 +5194,11 @@ spec: resources which will be cleaned up. properties: all: - description: AllConditions enable variable-based conditional rule - execution. This is useful for finer control of when an rule - is applied. A condition can reference object data using JMESPath - notation. Here, all of the conditions need to pass. + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass. items: properties: key: @@ -5311,11 +5209,11 @@ spec: description: Message is an optional display message type: string operator: - description: 'Operator is the conditional operation to perform. - Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -5333,17 +5231,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, or set of values. - The values can be fixed set or can be variables declared - using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based conditional rule - execution. This is useful for finer control of when an rule - is applied. A condition can reference object data using JMESPath - notation. Here, at least one of the conditions need to pass. + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass. items: properties: key: @@ -5354,11 +5253,11 @@ spec: description: Message is an optional display message type: string operator: - description: 'Operator is the conditional operation to perform. - Valid operators are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -5376,9 +5275,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, or set of values. - The values can be fixed set or can be variables declared - using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -5387,13 +5286,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data sources to a rule - Context. Either a ConfigMap reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the Kubernetes API - server, or other JSON web service. The data returned is stored - in the context with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data sent to the server. @@ -5413,12 +5313,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the JSON response returned - from the server. For example a JMESPath of "items | length(@)" - applied to the API server response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across all - namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -5431,22 +5331,24 @@ spec: description: Service is an API call to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded CA bundle which - will be used to validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web service URL. A typical - form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to be used in the HTTP - GET or POST request to the Kubernetes API server (e.g. - "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used by the `kubectl - get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -5463,8 +5365,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests to an OCI/Docker - V2 registry to fetch image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials provides credentials @@ -5475,9 +5378,9 @@ spec: to a registry. type: boolean providers: - description: 'Providers specifies a list of OCI Registry - names, whose authentication providers are provided. - It can be of one of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers required. @@ -5490,21 +5393,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets that - are provided for credentials. Secrets must live in - the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the ImageData struct returned - as a result of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference to a container - image in the registry. Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -5517,13 +5422,14 @@ spec: variable that can be defined inline. properties: default: - description: Default is an optional arbitrary JSON object - that the variable may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath Expression - that can be used to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON object representable @@ -5533,10 +5439,10 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when cleanuppolicy should not - be applied. The exclude criteria can include resource information - (e.g. kind, name, namespace, labels) and admission review request - information like the name or role. + description: |- + ExcludeResources defines when cleanuppolicy should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. properties: all: description: All allows specifying resources which will be ANDed @@ -5557,11 +5463,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -5569,52 +5474,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -5626,19 +5528,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -5658,38 +5558,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -5701,12 +5598,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -5721,32 +5616,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -5775,11 +5666,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -5787,52 +5677,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -5844,19 +5731,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -5876,38 +5761,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -5919,12 +5801,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -5939,32 +5819,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -5976,10 +5852,11 @@ spec: type: array type: object match: - description: MatchResources defines when cleanuppolicy should be applied. - The match criteria can include resource information (e.g. kind, - name, namespace, labels) and admission review request information - like the user name or role. At least one kind is required. + description: |- + MatchResources defines when cleanuppolicy should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. + At least one kind is required. properties: all: description: All allows specifying resources which will be ANDed @@ -6000,11 +5877,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -6012,52 +5888,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -6069,19 +5942,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -6101,38 +5972,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -6144,12 +6012,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -6164,32 +6030,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -6218,11 +6080,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -6230,52 +6091,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -6287,19 +6145,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -6319,38 +6175,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -6362,12 +6215,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -6382,32 +6233,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -6430,42 +6277,42 @@ spec: conditions: items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -6479,11 +6326,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -6518,7 +6366,7 @@ metadata: app.kubernetes.io/version: 3.1.4 helm.sh/chart: crds-3.1.4 annotations: - controller-gen.kubebuilder.io/version: v0.12.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: clusterpolicies.kyverno.io spec: group: kyverno.io @@ -6579,14 +6427,19 @@ spec: for matching resources. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -6595,95 +6448,99 @@ spec: properties: admission: default: true - description: Admission controls if rules are applied during admission. + description: |- + Admission controls if rules are applied during admission. Optional. Default value is "true". type: boolean applyRules: - description: ApplyRules controls how rules in a policy are applied. - Rule are processed in the order of declaration. When set to `One` - processing stops after a rule has been applied i.e. the rule matches - and results in a pass, fail, or error. When set to `All` all rules - in the policy are processed. The default is `All`. + description: |- + ApplyRules controls how rules in a policy are applied. Rule are processed in + the order of declaration. When set to `One` processing stops after a rule has + been applied i.e. the rule matches and results in a pass, fail, or error. When + set to `All` all rules in the policy are processed. The default is `All`. enum: - All - One type: string background: default: true - description: Background controls if rules are applied to existing - resources during a background scan. Optional. Default value is "true". - The value must be set to "false" if the policy rule uses variables - that are only available in the admission review request (e.g. user - name). + description: |- + Background controls if rules are applied to existing resources during a background scan. + Optional. Default value is "true". The value must be set to "false" if the policy rule + uses variables that are only available in the admission review request (e.g. user name). type: boolean failurePolicy: - description: FailurePolicy defines how unexpected policy errors and - webhook response timeout errors are handled. Rules within the same - policy share the same failure behavior. This field should not be - accessed directly, instead `GetFailurePolicy()` should be used. + description: |- + FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. + Rules within the same policy share the same failure behavior. + This field should not be accessed directly, instead `GetFailurePolicy()` should be used. Allowed values are Ignore or Fail. Defaults to Fail. enum: - Ignore - Fail type: string generateExisting: - description: GenerateExisting controls whether to trigger generate - rule in existing resources If is set to "true" generate rule will - be triggered and applied to existing matched resources. Defaults - to "false" if not specified. + description: |- + GenerateExisting controls whether to trigger generate rule in existing resources + If is set to "true" generate rule will be triggered and applied to existing matched resources. + Defaults to "false" if not specified. type: boolean generateExistingOnPolicyUpdate: description: Deprecated, use generateExisting instead type: boolean mutateExistingOnPolicyUpdate: - description: MutateExistingOnPolicyUpdate controls if a mutateExisting - policy is applied on policy events. Default value is "false". + description: |- + MutateExistingOnPolicyUpdate controls if a mutateExisting policy is applied on policy events. + Default value is "false". type: boolean rules: - description: Rules is a list of Rule instances. A Policy contains - multiple rules and each rule can validate, mutate, or generate resources. + description: |- + Rules is a list of Rule instances. A Policy contains multiple rules and + each rule can validate, mutate, or generate resources. items: - description: Rule defines a validation, mutation, or generation - control for matching resources. Each rules contains a match declaration - to select resources, and an optional exclude declaration to specify - which resources to exclude. + description: |- + Rule defines a validation, mutation, or generation control for matching resources. + Each rules contains a match declaration to select resources, and an optional exclude + declaration to specify which resources to exclude. properties: celPreconditions: - description: CELPreconditions are used to determine if a policy - rule should be applied by evaluating a set of CEL conditions. - It can only be used with the validate.cel subrule + description: |- + CELPreconditions are used to determine if a policy rule should be applied by evaluating a + set of CEL conditions. It can only be used with the validate.cel subrule items: description: MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook. properties: expression: - description: "Expression represents the expression which - will be evaluated by CEL. Must evaluate to bool. CEL - expressions have access to the contents of the AdmissionRequest - and Authorizer, organized into CEL variables: \n 'object' - - The object from the incoming request. The value is - null for DELETE requests. 'oldObject' - The existing - object. The value is null for CREATE requests. 'request' - - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). - 'authorizer' - A CEL Authorizer. May be used to perform - authorization checks for the principal (user or service - account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - 'authorizer.requestResource' - A CEL ResourceCheck constructed - from the 'authorizer' and configured with the request - resource. Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ - \n Required." + description: |- + Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. + CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: + + + 'object' - The object from the incoming request. The value is null for DELETE requests. + 'oldObject' - The existing object. The value is null for CREATE requests. + 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. + See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the + request resource. + Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ + + + Required. type: string name: - description: "Name is an identifier for this match condition, - used for strategic merging of MatchConditions, as well - as providing an identifier for logging purposes. A good - name should be descriptive of the associated expression. - Name must be a qualified name consisting of alphanumeric - characters, '-', '_' or '.', and must start and end - with an alphanumeric character (e.g. 'MyName', or 'my.name', - \ or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') - with an optional DNS subdomain prefix and '/' (e.g. - 'example.com/MyName') \n Required." + description: |- + Name is an identifier for this match condition, used for strategic merging of MatchConditions, + as well as providing an identifier for logging purposes. A good name should be descriptive of + the associated expression. + Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and + must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or + '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an + optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') + + + Required. type: string required: - expression @@ -6694,15 +6551,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data sources - to a rule Context. Either a ConfigMap reference or a APILookup - must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the Kubernetes - API server, or other JSON web service. The data returned - is stored in the context with the name for the context - entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data sent to @@ -6724,13 +6580,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the JSON response - returned from the server. For example a JMESPath - of "items | length(@)" applied to the API server - response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across - all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -6745,22 +6600,24 @@ spec: service properties: caBundle: - description: CABundle is a PEM encoded CA bundle - which will be used to validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web service URL. - A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to be used in - the HTTP GET or POST request to the Kubernetes API - server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used by the - `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -6777,8 +6634,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests to an OCI/Docker - V2 registry to fetch image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials provides credentials @@ -6789,10 +6647,9 @@ spec: access to a registry. type: boolean providers: - description: 'Providers specifies a list of OCI - Registry names, whose authentication providers - are provided. It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers @@ -6806,21 +6663,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets - that are provided for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the ImageData struct - returned as a result of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference to a container - image in the registry. Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -6833,13 +6692,14 @@ spec: variable that can be defined inline. properties: default: - description: Default is an optional arbitrary JSON - object that the variable may take if the JMESPath + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath Expression - that can be used to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON object representable @@ -6849,10 +6709,10 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when this policy rule - should not be applied. The exclude criteria can include resource - information (e.g. kind, name, namespace, labels) and admission - review request information like the name or role. + description: |- + ExcludeResources defines when this policy rule should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. properties: all: description: All allows specifying resources which will @@ -6874,11 +6734,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -6886,58 +6745,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -6950,20 +6800,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -6983,42 +6830,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -7031,12 +6871,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -7051,32 +6889,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -7107,11 +6940,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -7119,58 +6951,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -7183,20 +7006,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -7216,42 +7036,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -7264,12 +7077,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -7284,32 +7095,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -7327,20 +7133,19 @@ spec: type: string type: array resources: - description: ResourceDescription contains information about - the resource being created or modified. Requires at least - one tag to be specified when under MatchResources. Specifying - ResourceDescription directly under match is being deprecated. + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. Please specify under "any" or "all" instead. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -7348,52 +7153,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -7405,19 +7207,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -7437,38 +7237,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -7480,12 +7277,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -7500,32 +7295,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -7541,10 +7332,10 @@ spec: description: APIVersion specifies resource apiVersion. type: string clone: - description: Clone specifies the source resource used to - populate each generated resource. At most one of Data - or Clone can be specified. If neither are provided, the - generated resource will be created with default data only. + description: |- + Clone specifies the source resource used to populate each generated resource. + At most one of Data or Clone can be specified. If neither are provided, the generated + resource will be created with default data only. properties: name: description: Name specifies name of the resource. @@ -7566,34 +7357,33 @@ spec: description: Namespace specifies source resource namespace. type: string selector: - description: Selector is a label selector. Label keys - and values in `matchLabels`. wildcard characters are - not supported. + description: |- + Selector is a label selector. Label keys and values in `matchLabels`. + wildcard characters are not supported. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -7605,21 +7395,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object data: - description: Data provides the resource declaration used - to populate each generated resource. At most one of Data - or Clone must be specified. If neither are provided, the - generated resource will be created with default data only. + description: |- + Data provides the resource declaration used to populate each generated resource. + At most one of Data or Clone must be specified. If neither are provided, the generated + resource will be created with default data only. x-kubernetes-preserve-unknown-fields: true kind: description: Kind specifies resource kind. @@ -7631,12 +7419,11 @@ spec: description: Namespace specifies resource namespace. type: string synchronize: - description: Synchronize controls if generated resources - should be kept in-sync with their source resource. If - Synchronize is set to "true" changes to generated resources - will be overwritten with resource data from Data or the - resource specified in the Clone declaration. Optional. - Defaults to "false" if not specified. + description: |- + Synchronize controls if generated resources should be kept in-sync with their source resource. + If Synchronize is set to "true" changes to generated resources will be overwritten with resource + data from Data or the resource specified in the Clone declaration. + Optional. Defaults to "false" if not specified. type: boolean uid: description: UID specifies the resource uid. @@ -7647,50 +7434,47 @@ spec: items: properties: jmesPath: - description: 'JMESPath is an optional JMESPath expression - to apply to the image value. This is useful when the - extracted image begins with a prefix like ''docker://''. - The ''trim_prefix'' function may be used to trim the - prefix: trim_prefix(@, ''docker://''). Note - Image - digest mutation may not be used when applying a JMESPAth - to an image.' + description: |- + JMESPath is an optional JMESPath expression to apply to the image value. + This is useful when the extracted image begins with a prefix like 'docker://'. + The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://'). + Note - Image digest mutation may not be used when applying a JMESPAth to an image. type: string key: - description: Key is an optional name of the field within - 'path' that will be used to uniquely identify an image. + description: |- + Key is an optional name of the field within 'path' that will be used to uniquely identify an image. Note - this field MUST be unique. type: string name: - description: Name is the entry the image will be available - under 'images.' in the context. If this field - is not defined, image entries will appear under 'images.custom'. + description: |- + Name is the entry the image will be available under 'images.' in the context. + If this field is not defined, image entries will appear under 'images.custom'. type: string path: - description: Path is the path to the object containing - the image field in a custom resource. It should be - slash-separated. Each slash-separated key must be - a valid YAML key or a wildcard '*'. Wildcard keys - are expanded in case of arrays or objects. + description: |- + Path is the path to the object containing the image field in a custom resource. + It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'. + Wildcard keys are expanded in case of arrays or objects. type: string value: - description: Value is an optional name of the field - within 'path' that points to the image URI. This is - useful when a custom 'key' is also defined. + description: |- + Value is an optional name of the field within 'path' that points to the image URI. + This is useful when a custom 'key' is also defined. type: string required: - path type: object type: array - description: ImageExtractors defines a mapping from kinds to - ImageExtractorConfigs. This config is only valid for verifyImages - rules. + description: |- + ImageExtractors defines a mapping from kinds to ImageExtractorConfigs. + This config is only valid for verifyImages rules. type: object match: - description: MatchResources defines when this policy rule should - be applied. The match criteria can include resource information - (e.g. kind, name, namespace, labels) and admission review - request information like the user name or role. At least one - kind is required. + description: |- + MatchResources defines when this policy rule should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. + At least one kind is required. properties: all: description: All allows specifying resources which will @@ -7712,11 +7496,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -7724,58 +7507,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -7788,20 +7562,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -7821,42 +7592,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -7869,12 +7633,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -7889,32 +7651,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -7945,11 +7702,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -7957,58 +7713,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -8021,20 +7768,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -8054,42 +7798,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -8102,12 +7839,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -8122,32 +7857,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -8165,20 +7895,19 @@ spec: type: string type: array resources: - description: ResourceDescription contains information about - the resource being created or modified. Requires at least - one tag to be specified when under MatchResources. Specifying - ResourceDescription directly under match is being deprecated. + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. Please specify under "any" or "all" instead. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -8186,52 +7915,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -8243,19 +7969,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -8275,38 +7999,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -8318,12 +8039,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -8338,32 +8057,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -8389,15 +8104,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data @@ -8419,14 +8133,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -8441,25 +8153,24 @@ spec: JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate the server certificate. type: string url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -8477,8 +8188,8 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. properties: imageRegistryCredentials: @@ -8491,11 +8202,9 @@ spec: insecure access to a registry. type: boolean providers: - description: 'Providers specifies a - list of OCI Registry names, whose - authentication providers are provided. - It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -8509,23 +8218,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list - of secrets that are provided for credentials. + description: |- + Secrets specifies a list of secrets that are provided for credentials. Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -8538,15 +8247,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON @@ -8559,42 +8267,41 @@ spec: description: Foreach declares a nested foreach iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which the - validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string order: - description: Order defines the iteration order on - the list. Can be Ascending to iterate from first - to last element or Descending to iterate in from - last to first element. + description: |- + Order defines the iteration order on the list. + Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element. enum: - Ascending - Descending type: string patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge - patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 - JSON Patch declarations used to modify resources. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, all of the conditions need to - pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -8608,13 +8315,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -8634,20 +8339,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, at least one of the conditions - need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -8661,13 +8364,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -8687,10 +8388,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -8699,14 +8399,15 @@ spec: type: object type: array patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge patch - used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON - Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string targets: description: Targets defines the target resources to be @@ -8722,15 +8423,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data @@ -8752,14 +8452,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -8774,25 +8472,24 @@ spec: JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate the server certificate. type: string url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -8810,8 +8507,8 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. properties: imageRegistryCredentials: @@ -8824,11 +8521,9 @@ spec: insecure access to a registry. type: boolean providers: - description: 'Providers specifies a - list of OCI Registry names, whose - authentication providers are provided. - It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -8842,23 +8537,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list - of secrets that are provided for credentials. + description: |- + Secrets specifies a list of secrets that are provided for credentials. Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -8871,15 +8566,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON @@ -8898,13 +8592,12 @@ spec: description: Namespace specifies resource namespace. type: string preconditions: - description: 'Preconditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. A direct list - of conditions (without `any` or `all` statements - is supported for backwards compatibility but will - be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true uid: description: UID specifies the resource uid. @@ -8918,27 +8611,32 @@ spec: maxLength: 63 type: string preconditions: - description: 'Preconditions are used to determine if a policy - rule should be applied by evaluating a set of conditions. - The declaration can contain nested `any` or `all` statements. - A direct list of conditions (without `any` or `all` statements - is supported for backwards compatibility but will be deprecated - in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true skipBackgroundRequests: default: true - description: SkipBackgroundRequests bypasses admission requests - that are sent by the background controller. The default value - is set to "true", it must be set to "false" to apply generate - and mutateExisting rules to those requests. + description: |- + SkipBackgroundRequests bypasses admission requests that are sent by the background controller. + The default value is set to "true", it must be set to "false" to apply + generate and mutateExisting rules to those requests. type: boolean validate: description: Validation is used to validate matching resources. properties: + allowExistingViolations: + default: true + description: AllowExistingViolations allows prexisting violating + resources to continue violating a policy. + type: boolean anyPattern: - description: AnyPattern specifies list of validation patterns. - At least one of the patterns must be satisfied for the - validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true cel: description: CEL allows validation checks using the Common @@ -8953,39 +8651,45 @@ spec: an audit annotation for an API request. properties: key: - description: "key specifies the audit annotation - key. The audit annotation keys of a ValidatingAdmissionPolicy - must be unique. The key must be a qualified - name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than - 63 bytes in length. \n The key is combined with - the resource name of the ValidatingAdmissionPolicy - to construct an audit annotation key: \"{ValidatingAdmissionPolicy - name}/{key}\". \n If an admission webhook uses - the same resource name as this ValidatingAdmissionPolicy - and the same audit annotation key, the annotation - key will be identical. In this case, the first - annotation written with the key will be included - in the audit event and all subsequent annotations - with the same key will be discarded. \n Required." + description: |- + key specifies the audit annotation key. The audit annotation keys of + a ValidatingAdmissionPolicy must be unique. The key must be a qualified + name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length. + + + The key is combined with the resource name of the + ValidatingAdmissionPolicy to construct an audit annotation key: + "{ValidatingAdmissionPolicy name}/{key}". + + + If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy + and the same audit annotation key, the annotation key will be identical. + In this case, the first annotation written with the key will be included + in the audit event and all subsequent annotations with the same key + will be discarded. + + + Required. type: string valueExpression: - description: "valueExpression represents the expression - which is evaluated by CEL to produce an audit - annotation value. The expression must evaluate - to either a string or null value. If the expression - evaluates to a string, the audit annotation - is included with the string value. If the expression - evaluates to null or empty string the audit - annotation will be omitted. The valueExpression - may be no longer than 5kb in length. If the - result of the valueExpression is more than 10kb - in length, it will be truncated to 10kb. \n - If multiple ValidatingAdmissionPolicyBinding - resources match an API request, then the valueExpression - will be evaluated for each binding. All unique - values produced by the valueExpressions will - be joined together in a comma-separated list. - \n Required." + description: |- + valueExpression represents the expression which is evaluated by CEL to + produce an audit annotation value. The expression must evaluate to either + a string or null value. If the expression evaluates to a string, the + audit annotation is included with the string value. If the expression + evaluates to null or empty string the audit annotation will be omitted. + The valueExpression may be no longer than 5kb in length. + If the result of the valueExpression is more than 10kb in length, it + will be truncated to 10kb. + + + If multiple ValidatingAdmissionPolicyBinding resources match an + API request, then the valueExpression will be evaluated for + each binding. All unique values produced by the valueExpressions + will be joined together in a comma-separated list. + + + Required. type: string required: - key @@ -9001,113 +8705,99 @@ spec: properties: expression: description: "Expression represents the expression - which will be evaluated by CEL. ref: https://github.com/google/cel-spec - CEL expressions have access to the contents - of the API request/response, organized into - CEL variables as well as some other useful variables: - \n - 'object' - The object from the incoming - request. The value is null for DELETE requests. - - 'oldObject' - The existing object. The value - is null for CREATE requests. - 'request' - Attributes - of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - - 'params' - Parameter resource referred to - by the policy binding being evaluated. Only - populated if the policy has a ParamKind. - 'namespaceObject' + which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL + expressions have access to the contents of the + API request/response, organized into CEL variables + as well as some other useful variables:\n\n\n- + 'object' - The object from the incoming request. + The value is null for DELETE requests.\n- 'oldObject' + - The existing object. The value is null for + CREATE requests.\n- 'request' - Attributes of + the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- + 'params' - Parameter resource referred to by + the policy binding being evaluated. Only populated + if the policy has a ParamKind.\n- 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped - resources. - 'variables' - Map of composited + resources.\n- 'variables' - Map of composited variables, from its name to its lazily evaluated - value. For example, a variable named 'foo' can - be accessed as 'variables.foo'. - 'authorizer' + value.\n For example, a variable named 'foo' + can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) - of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - - 'authorizer.requestResource' - A CEL ResourceCheck + of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured - with the request resource. \n The `apiVersion`, + with the\n request resource.\n\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` - are always accessible from the root of the object. - No other metadata properties are accessible. - \n Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` - are accessible. Accessible property names are + are always accessible from the root of the\nobject. + No other metadata properties are accessible.\n\n\nOnly + property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` + are accessible.\nAccessible property names are escaped according to the following rules when - accessed in the expression: - '__' escapes to - '__underscores__' - '.' escapes to '__dot__' - - '-' escapes to '__dash__' - '/' escapes to - '__slash__' - Property names that exactly match + accessed in the expression:\n- '__' escapes + to '__underscores__'\n- '.' escapes to '__dot__'\n- + '-' escapes to '__dash__'\n- '/' escapes to + '__slash__'\n- Property names that exactly match a CEL RESERVED keyword escape to '__{keyword}__'. - The keywords are: \"true\", \"false\", \"null\", - \"in\", \"as\", \"break\", \"const\", \"continue\", - \"else\", \"for\", \"function\", \"if\", \"import\", - \"let\", \"loop\", \"package\", \"namespace\", - \"return\". Examples: - Expression accessing - a property named \"namespace\": {\"Expression\": - \"object.__namespace__ > 0\"} - Expression accessing - a property named \"x-prop\": {\"Expression\": - \"object.x__dash__prop > 0\"} - Expression accessing - a property named \"redact__d\": {\"Expression\": - \"object.redact__underscores__d > 0\"} \n Equality - on arrays with list type of 'set' or 'map' ignores - element order, i.e. [1, 2] == [2, 1]. Concatenation - on arrays with x-kubernetes-list-type use the - semantics of the list type: - 'set': `X + Y` - performs a union where the array positions of - all elements in `X` are preserved and non-intersecting + The keywords are:\n\t \"true\", \"false\", + \"null\", \"in\", \"as\", \"break\", \"const\", + \"continue\", \"else\", \"for\", \"function\", + \"if\",\n\t \"import\", \"let\", \"loop\", + \"package\", \"namespace\", \"return\".\nExamples:\n + \ - Expression accessing a property named \"namespace\": + {\"Expression\": \"object.__namespace__ > 0\"}\n + \ - Expression accessing a property named \"x-prop\": + {\"Expression\": \"object.x__dash__prop > 0\"}\n + \ - Expression accessing a property named \"redact__d\": + {\"Expression\": \"object.redact__underscores__d + > 0\"}\n\n\nEquality on arrays with list type + of 'set' or 'map' ignores element order, i.e. + [1, 2] == [2, 1].\nConcatenation on arrays with + x-kubernetes-list-type use the semantics of + the list type:\n - 'set': `X + Y` performs + a union where the array positions of all elements + in `X` are preserved and\n non-intersecting elements in `Y` are appended, retaining their - partial order. - 'map': `X + Y` performs a merge - where the array positions of all keys in `X` - are preserved but the values are overwritten - by values in `Y` when the key sets of `X` and - `Y` intersect. Elements in `Y` with non-intersecting - keys are appended, retaining their partial order. - Required." + partial order.\n - 'map': `X + Y` performs + a merge where the array positions of all keys + in `X` are preserved but the values\n are + overwritten by values in `Y` when the key sets + of `X` and `Y` intersect. Elements in `Y` with\n + \ non-intersecting keys are appended, retaining + their partial order.\nRequired." type: string message: - description: 'Message represents the message displayed - when validation fails. The message is required - if the Expression contains line breaks. The - message must not contain line breaks. If unset, - the message is "failed rule: {Rule}". e.g. "must - be a URL with the host matching spec.host" If - the Expression contains line breaks. Message - is required. The message must not contain line - breaks. If unset, the message is "failed Expression: - {Expression}".' + description: |- + Message represents the message displayed when validation fails. The message is required if the Expression contains + line breaks. The message must not contain line breaks. + If unset, the message is "failed rule: {Rule}". + e.g. "must be a URL with the host matching spec.host" + If the Expression contains line breaks. Message is required. + The message must not contain line breaks. + If unset, the message is "failed Expression: {Expression}". type: string messageExpression: - description: 'messageExpression declares a CEL - expression that evaluates to the validation - failure message that is returned when this rule - fails. Since messageExpression is used as a - failure message, it must evaluate to a string. - If both message and messageExpression are present - on a validation, then messageExpression will - be used if validation fails. If messageExpression - results in a runtime error, the runtime error - is logged, and the validation failure message - is produced as if the messageExpression field - were unset. If messageExpression evaluates to - an empty string, a string with only spaces, - or a string that contains line breaks, then - the validation failure message will also be - produced as if the messageExpression field were - unset, and the fact that messageExpression produced - an empty string/string with only spaces/string - with line breaks will be logged. messageExpression - has access to all the same variables as the - `expression` except for ''authorizer'' and ''authorizer.requestResource''. - Example: "object.x must be less than max ("+string(params.max)+")"' + description: |- + messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. + Since messageExpression is used as a failure message, it must evaluate to a string. + If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. + If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced + as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string + that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and + the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. + messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'. + Example: + "object.x must be less than max ("+string(params.max)+")" type: string reason: - description: 'Reason represents a machine-readable - description of why this validation failed. If - this is the first validation in the list to - fail, this reason, as well as the corresponding - HTTP response code, are used in the HTTP response - to the client. The currently supported reasons - are: "Unauthorized", "Forbidden", "Invalid", - "RequestEntityTooLarge". If not set, StatusReasonInvalid - is used in the response to the client.' + description: |- + Reason represents a machine-readable description of why this validation failed. + If this is the first validation in the list to fail, this reason, as well as the + corresponding HTTP response code, are used in the + HTTP response to the client. + The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge". + If not set, StatusReasonInvalid is used in the response to the client. type: string required: - expression @@ -9118,13 +8808,15 @@ spec: Version. properties: apiVersion: - description: APIVersion is the API group version - the resources belong to. In format of "group/version". + description: |- + APIVersion is the API group version the resources belong to. + In format of "group/version". Required. type: string kind: - description: Kind is the API kind the resources - belong to. Required. + description: |- + Kind is the API kind the resources belong to. + Required. type: string type: object x-kubernetes-map-type: atomic @@ -9132,77 +8824,82 @@ spec: description: ParamRef references a parameter resource. properties: name: - description: "`name` is the name of the resource - being referenced. \n `name` and `selector` are - mutually exclusive properties. If one is set, - the other must be unset." + description: |- + `name` is the name of the resource being referenced. + + + `name` and `selector` are mutually exclusive properties. If one is set, + the other must be unset. type: string namespace: - description: "namespace is the namespace of the - referenced resource. Allows limiting the search - for params to a specific namespace. Applies to - both `name` and `selector` fields. \n A per-namespace - parameter may be used by specifying a namespace-scoped - `paramKind` in the policy and leaving this field - empty. \n - If `paramKind` is cluster-scoped, - this field MUST be unset. Setting this field results - in a configuration error. \n - If `paramKind` - is namespace-scoped, the namespace of the object - being evaluated for admission will be used when - this field is left unset. Take care that if this - is left empty the binding must not match any cluster-scoped - resources, which will result in an error." + description: |- + namespace is the namespace of the referenced resource. Allows limiting + the search for params to a specific namespace. Applies to both `name` and + `selector` fields. + + + A per-namespace parameter may be used by specifying a namespace-scoped + `paramKind` in the policy and leaving this field empty. + + + - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this + field results in a configuration error. + + + - If `paramKind` is namespace-scoped, the namespace of the object being + evaluated for admission will be used when this field is left unset. Take + care that if this is left empty the binding must not match any cluster-scoped + resources, which will result in an error. type: string parameterNotFoundAction: - description: "`parameterNotFoundAction` controls - the behavior of the binding when the resource - exists, and name or selector is valid, but there - are no parameters matched by the binding. If the - value is set to `Allow`, then no matched parameters - will be treated as successful validation by the - binding. If set to `Deny`, then no matched parameters - will be subject to the `failurePolicy` of the - policy. \n Allowed values are `Allow` or `Deny` - Default to `Deny`" + description: |- + `parameterNotFoundAction` controls the behavior of the binding when the resource + exists, and name or selector is valid, but there are no parameters + matched by the binding. If the value is set to `Allow`, then no + matched parameters will be treated as successful validation by the binding. + If set to `Deny`, then no matched parameters will be subject to the + `failurePolicy` of the policy. + + + Allowed values are `Allow` or `Deny` + Default to `Deny` type: string selector: - description: "selector can be used to match multiple - param objects based on their labels. Supply selector: - {} to match all resources of the ParamKind. \n - If multiple params are found, they are all evaluated - with the policy expressions and the results are - ANDed together. \n One of `name` or `selector` - must be set, but `name` and `selector` are mutually - exclusive properties. If one is set, the other - must be unset." + description: |- + selector can be used to match multiple param objects based on their labels. + Supply selector: {} to match all resources of the ParamKind. + + + If multiple params are found, they are all evaluated with the policy expressions + and the results are ANDed together. + + + One of `name` or `selector` must be set, but `name` and `selector` are + mutually exclusive properties. If one is set, the other must be unset. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -9215,40 +8912,34 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object x-kubernetes-map-type: atomic variables: - description: Variables contain definitions of variables - that can be used in composition of other expressions. + description: |- + Variables contain definitions of variables that can be used in composition of other expressions. Each variable is defined as a named CEL expression. - The variables defined here will be available under - `variables` in other expressions of the policy. + The variables defined here will be available under `variables` in other expressions of the policy. items: description: Variable is the definition of a variable that is used for composition. properties: expression: - description: Expression is the expression that - will be evaluated as the value of the variable. - The CEL expression has access to the same identifiers - as the CEL expressions in Validation. + description: |- + Expression is the expression that will be evaluated as the value of the variable. + The CEL expression has access to the same identifiers as the CEL expressions in Validation. type: string name: - description: Name is the name of the variable. - The name must be a valid CEL identifier and - unique among all variables. The variable can - be accessed in other expressions through `variables` - For example, if name is "foo", the variable - will be available as `variables.foo` + description: |- + Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables. + The variable can be accessed in other expressions through `variables` + For example, if name is "foo", the variable will be available as `variables.foo` type: string required: - expression @@ -9261,11 +8952,11 @@ spec: a validation rule. properties: conditions: - description: 'Multiple conditions can be declared under - an `any` or `all` statement. A direct list of conditions - (without `any` or `all` statements) is also supported - for backwards compatibility but will be deprecated - in the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object foreach: @@ -9279,23 +8970,22 @@ spec: the specified logic. properties: anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must be satisfied - for the validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true context: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data @@ -9317,14 +9007,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -9339,25 +9027,24 @@ spec: JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate the server certificate. type: string url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -9375,8 +9062,8 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. properties: imageRegistryCredentials: @@ -9389,11 +9076,9 @@ spec: insecure access to a registry. type: boolean providers: - description: 'Providers specifies a - list of OCI Registry names, whose - authentication providers are provided. - It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -9407,23 +9092,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list - of secrets that are provided for credentials. + description: |- + Secrets specifies a list of secrets that are provided for credentials. Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -9436,15 +9121,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON @@ -9458,47 +9142,43 @@ spec: or fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct - list of conditions (without `any` or `all` statements) - is also supported for backwards compatibility + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object elementScope: - description: ElementScope specifies whether to use - the current list element as the scope for validation. - Defaults to "true" if not specified. When set to - "false", "request.object" is used as the validation - scope within the foreach block to allow referencing - other elements in the subtree. + description: |- + ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified. + When set to "false", "request.object" is used as the validation scope within the foreach + block to allow referencing other elements in the subtree. type: boolean foreach: description: Foreach declares a nested foreach iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which the - validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string pattern: description: Pattern specifies an overlay-style pattern used to check resources. x-kubernetes-preserve-unknown-fields: true preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, all of the conditions need to - pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -9512,13 +9192,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -9538,20 +9216,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, at least one of the conditions - need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -9565,13 +9241,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -9591,10 +9265,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -9616,31 +9289,25 @@ spec: items: properties: count: - description: Count specifies the required number - of entries that must match. If the count is - null, all entries must match (a logical AND). - If the count is 1, at least one entry must match - (a logical OR). If the count contains a value - N, then N must be less than or equal to the - size of entries, and at least N entries must - match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available attestors. - An attestor can be a static key, attributes - for keyless verification, or a nested attestor - declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for image - verification. Every specified key-value - pair must exist and match in the verified - payload. The payload may contain other - key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set of @@ -9661,19 +9328,14 @@ spec: to verify. type: string ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate Timestamps - (SCTs). If the value is unset, the - default behavior by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate - Timestamp (SCT) log to check for - a certificate timestamp. Default - is false. Set to true if this - was opted out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -9681,33 +9343,25 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the root - CA certificate. Optionally may - contain intermediate CA certificates, - and may contain the leaf TSA certificate - if not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use - for a custom Rekor. If set, this - will be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -9718,8 +9372,8 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: @@ -9730,19 +9384,14 @@ spec: signing. type: object ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate Timestamps - (SCTs). If the value is unset, the - default behavior by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate - Timestamp (SCT) log to check for - a certificate timestamp. Default - is false. Set to true if this - was opted out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -9750,14 +9399,10 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the root - CA certificate. Optionally may - contain intermediate CA certificates, - and may contain the leaf TSA certificate - if not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -9765,22 +9410,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use - for a custom Rekor. If set, this - will be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -9790,10 +9431,9 @@ spec: type: string type: object roots: - description: Roots is an optional set - of PEM encoded trusted root certificates. - If not provided, the system roots - are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -9806,19 +9446,14 @@ spec: public keys. properties: ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate Timestamps - (SCTs). If the value is unset, the - default behavior by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate - Timestamp (SCT) log to check for - a certificate timestamp. Default - is false. Set to true if this - was opted out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -9826,57 +9461,41 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the root - CA certificate. Optionally may - contain intermediate CA certificates, - and may contain the leaf TSA certificate - if not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI to - the public key stored in a Key Management - System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image signatures. - The keys can be directly specified - or can be a variable reference to - a key specified in a ConfigMap (see - https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster by - specifying it in the format "k8s:///". - The named Secret must specify a key - `cosign.pub` containing the public - key used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each - key is processed as a separate staticKey - entry (.attestors[*].entries.keys) - within the set of attestors and the - count is applied across the keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use - for a custom Rekor. If set, this - will be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -9910,12 +9529,9 @@ spec: type: string type: object repository: - description: Repository is an optional alternate - OCI repository to use for signatures and - attestations that match this rule. If - specified Repository will override other - OCI image repository locations for this - Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -9956,9 +9572,9 @@ spec: type: object type: array repository: - description: Repository is an optional alternate OCI - repository to use for resource bundle reference. The - repository can be overridden per Attestor or Attestation. + description: |- + Repository is an optional alternate OCI repository to use for resource bundle reference. + The repository can be overridden per Attestor or Attestation. type: string type: object message: @@ -9970,9 +9586,9 @@ spec: used to check resources. x-kubernetes-preserve-unknown-fields: true podSecurity: - description: PodSecurity applies exemptions for Kubernetes - Pod Security admission by specifying exclusions for Pod - Security Standards controls. + description: |- + PodSecurity applies exemptions for Kubernetes Pod Security admission + by specifying exclusions for Pod Security Standards controls. properties: exclude: description: Exclude specifies the Pod Security Standard @@ -9982,8 +9598,9 @@ spec: Security Standard controls to be excluded. properties: controlName: - description: 'ControlName specifies the name of - the Pod Security Standard control. See: https://kubernetes.io/docs/concepts/security/pod-security-standards/' + description: |- + ControlName specifies the name of the Pod Security Standard control. + See: https://kubernetes.io/docs/concepts/security/pod-security-standards/ enum: - HostProcess - Host Namespaces @@ -10002,13 +9619,11 @@ spec: - Running as Non-root user type: string images: - description: 'Images selects matching containers - and applies the container level PSS. Each image - is the image name consisting of the registry - address, repository, image, and tag. Empty list - matches no containers, PSS checks are applied - at the pod level only. Wildcards (''*'' and - ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' + description: |- + Images selects matching containers and applies the container level PSS. + Each image is the image name consisting of the registry address, repository, image, and tag. + Empty list matches no containers, PSS checks are applied at the pod level only. + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -10017,19 +9632,18 @@ spec: type: object type: array level: - description: Level defines the Pod Security Standard - level to be applied to workloads. Allowed values are - privileged, baseline, and restricted. + description: |- + Level defines the Pod Security Standard level to be applied to workloads. + Allowed values are privileged, baseline, and restricted. enum: - privileged - baseline - restricted type: string version: - description: Version defines the Pod Security Standard - versions that Kubernetes supports. Allowed values - are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, - v1.26, latest. Defaults to latest. + description: |- + Version defines the Pod Security Standard versions that Kubernetes supports. + Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, latest. Defaults to latest. enum: - v1.19 - v1.20 @@ -10047,10 +9661,10 @@ spec: description: VerifyImages is used to verify image signatures and mutate them to add a digest items: - description: ImageVerification validates that images that - match the specified pattern are signed with the supplied - public key. Once the image is verified it is mutated to - include the SHA digest retrieved during the registration. + description: |- + ImageVerification validates that images that match the specified pattern + are signed with the supplied public key. Once the image is verified it is + mutated to include the SHA digest retrieved during the registration. properties: additionalExtensions: additionalProperties: @@ -10064,16 +9678,15 @@ spec: instead. type: object attestations: - description: Attestations are optional checks for signed - in-toto Statements used to verify the image. See https://github.com/in-toto/attestation. - Kyverno fetches signed attestations from the OCI registry - and decodes them into a list of Statement declarations. + description: |- + Attestations are optional checks for signed in-toto Statements used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statement declarations. items: - description: Attestation are checks for signed in-toto - Statements that are used to verify the image. See - https://github.com/in-toto/attestation. Kyverno fetches - signed attestations from the OCI registry and decodes - them into a list of Statements. + description: |- + Attestation are checks for signed in-toto Statements that are used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statements. properties: attestors: description: Attestors specify the required attestors @@ -10081,31 +9694,25 @@ spec: items: properties: count: - description: Count specifies the required - number of entries that must match. If the - count is null, all entries must match (a - logical AND). If the count is 1, at least - one entry must match (a logical OR). If - the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or - a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set @@ -10126,21 +9733,14 @@ spec: used to verify. type: string ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -10148,36 +9748,25 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -10188,9 +9777,9 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless - attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: additionalProperties: @@ -10200,21 +9789,14 @@ spec: for keyless signing. type: object ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -10222,15 +9804,10 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -10238,24 +9815,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -10265,10 +9836,9 @@ spec: type: string type: object roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, - the system roots are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -10281,21 +9851,14 @@ spec: public keys. properties: ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -10303,63 +9866,41 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI - to the public key stored in a - Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable - reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -10395,37 +9936,30 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository - will override other OCI image repository - locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array type: object type: array conditions: - description: Conditions are used to verify attributes - within a Predicate. If no Conditions are specified - the attestation check is satisfied as long there - are predicates that match the predicate type. + description: |- + Conditions are used to verify attributes within a Predicate. If no Conditions are specified + the attestation check is satisfied as long there are predicates that match the predicate type. items: - description: AnyAllConditions consists of conditions - wrapped denoting a logical criteria to be fulfilled. - AnyConditions get fulfilled when at least one - of its sub-conditions passes. AllConditions - get fulfilled only when all of its sub-conditions - pass. + description: |- + AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled. + AnyConditions get fulfilled when at least one of its sub-conditions passes. + AllConditions get fulfilled only when all of its sub-conditions pass. properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -10440,14 +9974,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -10467,20 +9998,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -10495,14 +10024,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -10522,10 +10048,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -10547,29 +10072,25 @@ spec: items: properties: count: - description: Count specifies the required number - of entries that must match. If the count is null, - all entries must match (a logical AND). If the - count is 1, at least one entry must match (a logical - OR). If the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available attestors. - An attestor can be a static key, attributes for - keyless verification, or a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for image - verification. Every specified key-value - pair must exist and match in the verified - payload. The payload may contain other key-value - pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set of Attestor @@ -10590,19 +10111,14 @@ spec: to verify. type: string ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for validation - of Signed Certificate Timestamps (SCTs). - If the value is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate Timestamp - (SCT) log to check for a certificate - timestamp. Default is false. Set - to true if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is used @@ -10610,33 +10126,25 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate chain - file for the RFC3161 timestamp authority. - Must contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use for - a custom Rekor. If set, this will - be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address of @@ -10646,8 +10154,8 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: @@ -10658,19 +10166,14 @@ spec: signing. type: object ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for validation - of Signed Certificate Timestamps (SCTs). - If the value is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate Timestamp - (SCT) log to check for a certificate - timestamp. Default is false. Set - to true if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is used @@ -10678,14 +10181,10 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate chain - file for the RFC3161 timestamp authority. - Must contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -10693,22 +10192,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use for - a custom Rekor. If set, this will - be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address of @@ -10717,10 +10212,9 @@ spec: type: string type: object roots: - description: Roots is an optional set - of PEM encoded trusted root certificates. - If not provided, the system roots are - used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified identity @@ -10733,19 +10227,14 @@ spec: keys. properties: ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for validation - of Signed Certificate Timestamps (SCTs). - If the value is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate Timestamp - (SCT) log to check for a certificate - timestamp. Default is false. Set - to true if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is used @@ -10753,56 +10242,41 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate chain - file for the RFC3161 timestamp authority. - Must contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI to - the public key stored in a Key Management - System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 public - keys used to verify image signatures. - The keys can be directly specified or - can be a variable reference to a key - specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes Secret - elsewhere in the cluster by specifying - it in the format "k8s:///". - The named Secret must specify a key - `cosign.pub` containing the public key - used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each - key is processed as a separate staticKey - entry (.attestors[*].entries.keys) within - the set of attestors and the count is - applied across the keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use for - a custom Rekor. If set, this will - be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address of @@ -10835,11 +10309,9 @@ spec: type: string type: object repository: - description: Repository is an optional alternate - OCI repository to use for signatures and - attestations that match this rule. If specified - Repository will override other OCI image - repository locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -10849,13 +10321,11 @@ spec: description: Deprecated. Use ImageReferences instead. type: string imageReferences: - description: 'ImageReferences is a list of matching image - reference patterns. At least one pattern in the list - must match the image for the rule to apply. Each image - reference consists of a registry address (defaults to - docker.io), repository, image, and tag (defaults to - latest). Wildcards (''*'' and ''?'') are allowed. See: - https://kubernetes.io/docs/concepts/containers/images.' + description: |- + ImageReferences is a list of matching image reference patterns. At least one pattern in the + list must match the image for the rule to apply. Each image reference consists of a registry + address (defaults to docker.io), repository, image, and tag (defaults to latest). + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -10868,9 +10338,9 @@ spec: access to a registry. type: boolean providers: - description: 'Providers specifies a list of OCI Registry - names, whose authentication providers are provided. - It can be of one of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers required. @@ -10883,9 +10353,9 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets that - are provided for credentials. Secrets must live - in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array @@ -10898,16 +10368,15 @@ spec: type: string mutateDigest: default: true - description: MutateDigest enables replacement of image - tags with digests. Defaults to true. + description: |- + MutateDigest enables replacement of image tags with digests. + Defaults to true. type: boolean repository: - description: Repository is an optional alternate OCI repository - to use for image signatures and attestations that match - this rule. If specified Repository will override the - default OCI image repository configured for the installation. - The repository can also be overridden per Attestor or - Attestation. + description: |- + Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule. + If specified Repository will override the default OCI image repository configured for the installation. + The repository can also be overridden per Attestor or Attestation. type: string required: default: true @@ -10922,9 +10391,9 @@ spec: description: Deprecated. Use KeylessAttestor instead. type: string type: - description: Type specifies the method of signature validation. - The allowed options are Cosign and Notary. By default - Cosign is used if a type is not specified. + description: |- + Type specifies the method of signature validation. The allowed options + are Cosign and Notary. By default Cosign is used if a type is not specified. enum: - Cosign - Notary @@ -10946,23 +10415,23 @@ spec: type: object type: array schemaValidation: - description: SchemaValidation skips validation checks for policies - as well as patched resources. Optional. The default value is set - to "true", it must be set to "false" to disable the validation checks. + description: |- + SchemaValidation skips validation checks for policies as well as patched resources. + Optional. The default value is set to "true", it must be set to "false" to disable the validation checks. type: boolean useServerSideApply: - description: UseServerSideApply controls whether to use server-side - apply for generate rules If is set to "true" create & update for - generate rules will use apply instead of create/update. Defaults - to "false" if not specified. + description: |- + UseServerSideApply controls whether to use server-side apply for generate rules + If is set to "true" create & update for generate rules will use apply instead of create/update. + Defaults to "false" if not specified. type: boolean validationFailureAction: default: Audit - description: ValidationFailureAction defines if a validation policy - rule violation should block the admission review request (enforce), - or allow (audit) the admission review request and report an error - in a policy report. Optional. Allowed values are audit or enforce. - The default value is "Audit". + description: |- + ValidationFailureAction defines if a validation policy rule violation should block + the admission review request (enforce), or allow (audit) the admission review request + and report an error in a policy report. Optional. + Allowed values are audit or enforce. The default value is "Audit". enum: - audit - enforce @@ -10970,9 +10439,9 @@ spec: - Enforce type: string validationFailureActionOverrides: - description: ValidationFailureActionOverrides is a Cluster Policy - attribute that specifies ValidationFailureAction namespace-wise. - It overrides ValidationFailureAction for the specified namespaces. + description: |- + ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction + namespace-wise. It overrides ValidationFailureAction for the specified namespaces. items: properties: action: @@ -10985,34 +10454,34 @@ spec: - Enforce type: string namespaceSelector: - description: A label selector is a label query over a set of - resources. The result of matchLabels and matchExpressions - are ANDed. An empty label selector matches all objects. A - null label selector matches no objects. + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. - If the operator is In or NotIn, the values array - must be non-empty. If the operator is Exists or - DoesNotExist, the values array must be empty. This - array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -11024,11 +10493,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -11039,11 +10507,10 @@ spec: type: object type: array webhookTimeoutSeconds: - description: WebhookTimeoutSeconds specifies the maximum time in seconds - allowed to apply this policy. After the configured time expires, - the admission request may fail, or may simply ignore the policy - results, based on the failure policy. The default timeout is 10s, - the value must be between 1 and 30 seconds. + description: |- + WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. + After the configured time expires, the admission request may fail, or may simply ignore the policy results, + based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds. format: int32 type: integer type: object @@ -11057,51 +10524,49 @@ spec: description: Rules is a list of Rule instances. It contains auto generated rules added for pod controllers items: - description: Rule defines a validation, mutation, or generation - control for matching resources. Each rules contains a match - declaration to select resources, and an optional exclude declaration - to specify which resources to exclude. + description: |- + Rule defines a validation, mutation, or generation control for matching resources. + Each rules contains a match declaration to select resources, and an optional exclude + declaration to specify which resources to exclude. properties: celPreconditions: - description: CELPreconditions are used to determine if a - policy rule should be applied by evaluating a set of CEL - conditions. It can only be used with the validate.cel - subrule + description: |- + CELPreconditions are used to determine if a policy rule should be applied by evaluating a + set of CEL conditions. It can only be used with the validate.cel subrule items: description: MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook. properties: expression: - description: "Expression represents the expression - which will be evaluated by CEL. Must evaluate to - bool. CEL expressions have access to the contents - of the AdmissionRequest and Authorizer, organized - into CEL variables: \n 'object' - The object from - the incoming request. The value is null for DELETE - requests. 'oldObject' - The existing object. The - value is null for CREATE requests. 'request' - Attributes - of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). - 'authorizer' - A CEL Authorizer. May be used to - perform authorization checks for the principal (user - or service account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - 'authorizer.requestResource' - A CEL ResourceCheck - constructed from the 'authorizer' and configured - with the request resource. Documentation on CEL: - https://kubernetes.io/docs/reference/using-api/cel/ - \n Required." + description: |- + Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. + CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: + + + 'object' - The object from the incoming request. The value is null for DELETE requests. + 'oldObject' - The existing object. The value is null for CREATE requests. + 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. + See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the + request resource. + Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ + + + Required. type: string name: - description: "Name is an identifier for this match - condition, used for strategic merging of MatchConditions, - as well as providing an identifier for logging purposes. - A good name should be descriptive of the associated - expression. Name must be a qualified name consisting - of alphanumeric characters, '-', '_' or '.', and - must start and end with an alphanumeric character - (e.g. 'MyName', or 'my.name', or '123-abc', regex - used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') - with an optional DNS subdomain prefix and '/' (e.g. - 'example.com/MyName') \n Required." + description: |- + Name is an identifier for this match condition, used for strategic merging of MatchConditions, + as well as providing an identifier for logging purposes. A good name should be descriptive of + the associated expression. + Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and + must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or + '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an + optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') + + + Required. type: string required: - expression @@ -11112,15 +10577,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data sources - to a rule Context. Either a ConfigMap reference or a - APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the Kubernetes - API server, or other JSON web service. The data - returned is stored in the context with the name - for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data sent @@ -11142,13 +10606,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON Match - Expression that can be used to transform the - JSON response returned from the server. For - example a JMESPath of "items | length(@)" applied - to the API server response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across - all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -11163,23 +10626,24 @@ spec: web service properties: caBundle: - description: CABundle is a PEM encoded CA - bundle which will be used to validate the - server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web service URL. - A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to be used - in the HTTP GET or POST request to the Kubernetes - API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used - by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -11196,8 +10660,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests to an - OCI/Docker V2 registry to fetch image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials provides @@ -11209,10 +10674,9 @@ spec: insecure access to a registry. type: boolean providers: - description: 'Providers specifies a list of - OCI Registry names, whose authentication - providers are provided. It can be of one - of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers @@ -11226,23 +10690,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets - that are provided for credentials. Secrets - must live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON Match - Expression that can be used to transform the - ImageData struct returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference to - a container image in the registry. Example: - ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -11255,14 +10719,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take if the - JMESPath expression evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform the - variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON object @@ -11272,11 +10736,10 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when this policy rule - should not be applied. The exclude criteria can include - resource information (e.g. kind, name, namespace, labels) - and admission review request information like the name - or role. + description: |- + ExcludeResources defines when this policy rule should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. properties: all: description: All allows specifying resources which will @@ -11298,10 +10761,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -11310,60 +10772,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -11376,20 +10827,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -11410,44 +10858,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -11460,12 +10899,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -11480,36 +10917,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -11539,10 +10968,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -11551,60 +10979,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -11617,20 +11034,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -11651,44 +11065,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -11701,12 +11106,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -11721,36 +11124,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -11767,21 +11162,19 @@ spec: type: string type: array resources: - description: ResourceDescription contains information - about the resource being created or modified. Requires - at least one tag to be specified when under MatchResources. - Specifying ResourceDescription directly under match - is being deprecated. Please specify under "any" or - "all" instead. + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" - (matches zero or many characters) and "?" (matches - at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -11789,57 +11182,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated in - favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key and - value but does not match an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -11852,20 +11237,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -11885,42 +11267,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) - and `?` (matches one character). Wildcards allows - writing label selectors like ["storage.k8s.io/*": - "*"]. Note that using ["*" : "*"] matches any - key and value but does not match an empty label - set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -11933,12 +11308,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -11953,32 +11326,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or - a value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the - referenced subject. Defaults to "" for ServiceAccount - subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the - Authorizer should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -11994,11 +11363,10 @@ spec: description: APIVersion specifies resource apiVersion. type: string clone: - description: Clone specifies the source resource used - to populate each generated resource. At most one of - Data or Clone can be specified. If neither are provided, - the generated resource will be created with default - data only. + description: |- + Clone specifies the source resource used to populate each generated resource. + At most one of Data or Clone can be specified. If neither are provided, the generated + resource will be created with default data only. properties: name: description: Name specifies name of the resource. @@ -12022,37 +11390,33 @@ spec: namespace. type: string selector: - description: Selector is a label selector. Label - keys and values in `matchLabels`. wildcard characters - are not supported. + description: |- + Selector is a label selector. Label keys and values in `matchLabels`. + wildcard characters are not supported. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -12065,22 +11429,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object data: - description: Data provides the resource declaration - used to populate each generated resource. At most - one of Data or Clone must be specified. If neither - are provided, the generated resource will be created - with default data only. + description: |- + Data provides the resource declaration used to populate each generated resource. + At most one of Data or Clone must be specified. If neither are provided, the generated + resource will be created with default data only. x-kubernetes-preserve-unknown-fields: true kind: description: Kind specifies resource kind. @@ -12092,11 +11453,10 @@ spec: description: Namespace specifies resource namespace. type: string synchronize: - description: Synchronize controls if generated resources - should be kept in-sync with their source resource. - If Synchronize is set to "true" changes to generated - resources will be overwritten with resource data from - Data or the resource specified in the Clone declaration. + description: |- + Synchronize controls if generated resources should be kept in-sync with their source resource. + If Synchronize is set to "true" changes to generated resources will be overwritten with resource + data from Data or the resource specified in the Clone declaration. Optional. Defaults to "false" if not specified. type: boolean uid: @@ -12108,50 +11468,46 @@ spec: items: properties: jmesPath: - description: 'JMESPath is an optional JMESPath expression - to apply to the image value. This is useful when - the extracted image begins with a prefix like - ''docker://''. The ''trim_prefix'' function may - be used to trim the prefix: trim_prefix(@, ''docker://''). - Note - Image digest mutation may not be used when - applying a JMESPAth to an image.' + description: |- + JMESPath is an optional JMESPath expression to apply to the image value. + This is useful when the extracted image begins with a prefix like 'docker://'. + The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://'). + Note - Image digest mutation may not be used when applying a JMESPAth to an image. type: string key: - description: Key is an optional name of the field - within 'path' that will be used to uniquely identify - an image. Note - this field MUST be unique. + description: |- + Key is an optional name of the field within 'path' that will be used to uniquely identify an image. + Note - this field MUST be unique. type: string name: - description: Name is the entry the image will be - available under 'images.' in the context. - If this field is not defined, image entries will - appear under 'images.custom'. + description: |- + Name is the entry the image will be available under 'images.' in the context. + If this field is not defined, image entries will appear under 'images.custom'. type: string path: - description: Path is the path to the object containing - the image field in a custom resource. It should - be slash-separated. Each slash-separated key must - be a valid YAML key or a wildcard '*'. Wildcard - keys are expanded in case of arrays or objects. + description: |- + Path is the path to the object containing the image field in a custom resource. + It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'. + Wildcard keys are expanded in case of arrays or objects. type: string value: - description: Value is an optional name of the field - within 'path' that points to the image URI. This - is useful when a custom 'key' is also defined. + description: |- + Value is an optional name of the field within 'path' that points to the image URI. + This is useful when a custom 'key' is also defined. type: string required: - path type: object type: array - description: ImageExtractors defines a mapping from kinds - to ImageExtractorConfigs. This config is only valid for - verifyImages rules. + description: |- + ImageExtractors defines a mapping from kinds to ImageExtractorConfigs. + This config is only valid for verifyImages rules. type: object match: - description: MatchResources defines when this policy rule - should be applied. The match criteria can include resource - information (e.g. kind, name, namespace, labels) and admission - review request information like the user name or role. + description: |- + MatchResources defines when this policy rule should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. At least one kind is required. properties: all: @@ -12174,10 +11530,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -12186,60 +11541,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -12252,20 +11596,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -12286,44 +11627,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -12336,12 +11668,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -12356,36 +11686,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -12415,10 +11737,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -12427,60 +11748,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -12493,20 +11803,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -12527,44 +11834,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -12577,12 +11875,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -12597,36 +11893,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -12643,21 +11931,19 @@ spec: type: string type: array resources: - description: ResourceDescription contains information - about the resource being created or modified. Requires - at least one tag to be specified when under MatchResources. - Specifying ResourceDescription directly under match - is being deprecated. Please specify under "any" or - "all" instead. + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" - (matches zero or many characters) and "?" (matches - at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -12665,57 +11951,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated in - favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key and - value but does not match an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -12728,20 +12006,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -12761,42 +12036,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) - and `?` (matches one character). Wildcards allows - writing label selectors like ["storage.k8s.io/*": - "*"]. Note that using ["*" : "*"] matches any - key and value but does not match an empty label - set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -12809,12 +12077,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -12829,32 +12095,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or - a value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the - referenced subject. Defaults to "" for ServiceAccount - subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the - Authorizer should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -12881,16 +12143,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST @@ -12913,15 +12173,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -12936,25 +12193,23 @@ spec: to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web - service URL. A typical form is + description: |- + URL is the JSON web service URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string @@ -12974,9 +12229,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials @@ -12988,11 +12243,9 @@ spec: allows insecure access to a registry. type: boolean providers: - description: 'Providers specifies - a list of OCI Registry names, - whose authentication providers - are provided. It can be of one - of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -13006,25 +12259,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a - list of secrets that are provided - for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -13038,15 +12289,14 @@ spec: defined inline. properties: default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary @@ -13061,43 +12311,41 @@ spec: iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which - the validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string order: - description: Order defines the iteration order - on the list. Can be Ascending to iterate from - first to last element or Descending to iterate - in from last to first element. + description: |- + Order defines the iteration order on the list. + Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element. enum: - Ascending - Descending type: string patchStrategicMerge: - description: PatchStrategicMerge is a strategic - merge patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC - 6902 JSON Patch declarations used to modify - resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -13112,14 +12360,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -13139,20 +12384,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -13167,14 +12410,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -13194,10 +12434,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -13206,14 +12445,15 @@ spec: type: object type: array patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge - patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON - Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string targets: description: Targets defines the target resources to @@ -13229,16 +12469,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST @@ -13261,15 +12499,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -13284,25 +12519,23 @@ spec: to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web - service URL. A typical form is + description: |- + URL is the JSON web service URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string @@ -13322,9 +12555,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials @@ -13336,11 +12569,9 @@ spec: allows insecure access to a registry. type: boolean providers: - description: 'Providers specifies - a list of OCI Registry names, - whose authentication providers - are provided. It can be of one - of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -13354,25 +12585,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a - list of secrets that are provided - for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -13386,15 +12615,14 @@ spec: defined inline. properties: default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary @@ -13414,14 +12642,12 @@ spec: description: Namespace specifies resource namespace. type: string preconditions: - description: 'Preconditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. A direct list - of conditions (without `any` or `all` statements - is supported for backwards compatibility but + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/preconditions/' + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true uid: description: UID specifies the resource uid. @@ -13435,27 +12661,32 @@ spec: maxLength: 63 type: string preconditions: - description: 'Preconditions are used to determine if a policy - rule should be applied by evaluating a set of conditions. - The declaration can contain nested `any` or `all` statements. - A direct list of conditions (without `any` or `all` statements - is supported for backwards compatibility but will be deprecated - in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true skipBackgroundRequests: default: true - description: SkipBackgroundRequests bypasses admission requests - that are sent by the background controller. The default - value is set to "true", it must be set to "false" to apply + description: |- + SkipBackgroundRequests bypasses admission requests that are sent by the background controller. + The default value is set to "true", it must be set to "false" to apply generate and mutateExisting rules to those requests. type: boolean validate: description: Validation is used to validate matching resources. properties: + allowExistingViolations: + default: true + description: AllowExistingViolations allows prexisting + violating resources to continue violating a policy. + type: boolean anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must be satisfied - for the validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true cel: description: CEL allows validation checks using the @@ -13470,41 +12701,45 @@ spec: produce an audit annotation for an API request. properties: key: - description: "key specifies the audit annotation - key. The audit annotation keys of a ValidatingAdmissionPolicy - must be unique. The key must be a qualified - name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more - than 63 bytes in length. \n The key is combined - with the resource name of the ValidatingAdmissionPolicy - to construct an audit annotation key: \"{ValidatingAdmissionPolicy - name}/{key}\". \n If an admission webhook - uses the same resource name as this ValidatingAdmissionPolicy - and the same audit annotation key, the annotation - key will be identical. In this case, the - first annotation written with the key will - be included in the audit event and all subsequent - annotations with the same key will be discarded. - \n Required." + description: |- + key specifies the audit annotation key. The audit annotation keys of + a ValidatingAdmissionPolicy must be unique. The key must be a qualified + name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length. + + + The key is combined with the resource name of the + ValidatingAdmissionPolicy to construct an audit annotation key: + "{ValidatingAdmissionPolicy name}/{key}". + + + If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy + and the same audit annotation key, the annotation key will be identical. + In this case, the first annotation written with the key will be included + in the audit event and all subsequent annotations with the same key + will be discarded. + + + Required. type: string valueExpression: - description: "valueExpression represents the - expression which is evaluated by CEL to - produce an audit annotation value. The expression - must evaluate to either a string or null - value. If the expression evaluates to a - string, the audit annotation is included - with the string value. If the expression - evaluates to null or empty string the audit - annotation will be omitted. The valueExpression - may be no longer than 5kb in length. If - the result of the valueExpression is more - than 10kb in length, it will be truncated - to 10kb. \n If multiple ValidatingAdmissionPolicyBinding - resources match an API request, then the - valueExpression will be evaluated for each - binding. All unique values produced by the - valueExpressions will be joined together - in a comma-separated list. \n Required." + description: |- + valueExpression represents the expression which is evaluated by CEL to + produce an audit annotation value. The expression must evaluate to either + a string or null value. If the expression evaluates to a string, the + audit annotation is included with the string value. If the expression + evaluates to null or empty string the audit annotation will be omitted. + The valueExpression may be no longer than 5kb in length. + If the result of the valueExpression is more than 10kb in length, it + will be truncated to 10kb. + + + If multiple ValidatingAdmissionPolicyBinding resources match an + API request, then the valueExpression will be evaluated for + each binding. All unique values produced by the valueExpressions + will be joined together in a comma-separated list. + + + Required. type: string required: - key @@ -13520,124 +12755,104 @@ spec: properties: expression: description: "Expression represents the expression - which will be evaluated by CEL. ref: https://github.com/google/cel-spec - CEL expressions have access to the contents + which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL + expressions have access to the contents of the API request/response, organized into CEL variables as well as some other useful - variables: \n - 'object' - The object from - the incoming request. The value is null - for DELETE requests. - 'oldObject' - The - existing object. The value is null for CREATE - requests. - 'request' - Attributes of the - API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - - 'params' - Parameter resource referred - to by the policy binding being evaluated. - Only populated if the policy has a ParamKind. - - 'namespaceObject' - The namespace object + variables:\n\n\n- 'object' - The object + from the incoming request. The value is + null for DELETE requests.\n- 'oldObject' + - The existing object. The value is null + for CREATE requests.\n- 'request' - Attributes + of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- + 'params' - Parameter resource referred to + by the policy binding being evaluated. Only + populated if the policy has a ParamKind.\n- + 'namespaceObject' - The namespace object that the incoming object belongs to. The - value is null for cluster-scoped resources. - - 'variables' - Map of composited variables, - from its name to its lazily evaluated value. - For example, a variable named 'foo' can - be accessed as 'variables.foo'. - 'authorizer' + value is null for cluster-scoped resources.\n- + 'variables' - Map of composited variables, + from its name to its lazily evaluated value.\n + \ For example, a variable named 'foo' can + be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user - or service account) of the request. See - https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - - 'authorizer.requestResource' - A CEL ResourceCheck + or service account) of the request.\n See + https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured - with the request resource. \n The `apiVersion`, + with the\n request resource.\n\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` - are always accessible from the root of the - object. No other metadata properties are - accessible. \n Only property names of the - form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are - accessible. Accessible property names are - escaped according to the following rules - when accessed in the expression: - '__' - escapes to '__underscores__' - '.' escapes - to '__dot__' - '-' escapes to '__dash__' - - '/' escapes to '__slash__' - Property - names that exactly match a CEL RESERVED - keyword escape to '__{keyword}__'. The keywords - are: \"true\", \"false\", \"null\", \"in\", - \"as\", \"break\", \"const\", \"continue\", - \"else\", \"for\", \"function\", \"if\", - \"import\", \"let\", \"loop\", \"package\", - \"namespace\", \"return\". Examples: - Expression - accessing a property named \"namespace\": - {\"Expression\": \"object.__namespace__ - > 0\"} - Expression accessing a property + are always accessible from the root of the\nobject. + No other metadata properties are accessible.\n\n\nOnly + property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` + are accessible.\nAccessible property names + are escaped according to the following rules + when accessed in the expression:\n- '__' + escapes to '__underscores__'\n- '.' escapes + to '__dot__'\n- '-' escapes to '__dash__'\n- + '/' escapes to '__slash__'\n- Property names + that exactly match a CEL RESERVED keyword + escape to '__{keyword}__'. The keywords + are:\n\t \"true\", \"false\", \"null\", + \"in\", \"as\", \"break\", \"const\", \"continue\", + \"else\", \"for\", \"function\", \"if\",\n\t + \ \"import\", \"let\", \"loop\", \"package\", + \"namespace\", \"return\".\nExamples:\n + \ - Expression accessing a property named + \"namespace\": {\"Expression\": \"object.__namespace__ + > 0\"}\n - Expression accessing a property named \"x-prop\": {\"Expression\": \"object.x__dash__prop - > 0\"} - Expression accessing a property + > 0\"}\n - Expression accessing a property named \"redact__d\": {\"Expression\": \"object.redact__underscores__d - > 0\"} \n Equality on arrays with list type - of 'set' or 'map' ignores element order, - i.e. [1, 2] == [2, 1]. Concatenation on + > 0\"}\n\n\nEquality on arrays with list + type of 'set' or 'map' ignores element order, + i.e. [1, 2] == [2, 1].\nConcatenation on arrays with x-kubernetes-list-type use the - semantics of the list type: - 'set': `X - + Y` performs a union where the array positions - of all elements in `X` are preserved and - non-intersecting elements in `Y` are appended, - retaining their partial order. - 'map': - `X + Y` performs a merge where the array - positions of all keys in `X` are preserved - but the values are overwritten by values - in `Y` when the key sets of `X` and `Y` - intersect. Elements in `Y` with non-intersecting - keys are appended, retaining their partial - order. Required." + semantics of the list type:\n - 'set': + `X + Y` performs a union where the array + positions of all elements in `X` are preserved + and\n non-intersecting elements in `Y` + are appended, retaining their partial order.\n + \ - 'map': `X + Y` performs a merge where + the array positions of all keys in `X` are + preserved but the values\n are overwritten + by values in `Y` when the key sets of `X` + and `Y` intersect. Elements in `Y` with\n + \ non-intersecting keys are appended, + retaining their partial order.\nRequired." type: string message: - description: 'Message represents the message - displayed when validation fails. The message - is required if the Expression contains line - breaks. The message must not contain line - breaks. If unset, the message is "failed - rule: {Rule}". e.g. "must be a URL with - the host matching spec.host" If the Expression - contains line breaks. Message is required. + description: |- + Message represents the message displayed when validation fails. The message is required if the Expression contains + line breaks. The message must not contain line breaks. + If unset, the message is "failed rule: {Rule}". + e.g. "must be a URL with the host matching spec.host" + If the Expression contains line breaks. Message is required. The message must not contain line breaks. - If unset, the message is "failed Expression: - {Expression}".' + If unset, the message is "failed Expression: {Expression}". type: string messageExpression: - description: 'messageExpression declares a - CEL expression that evaluates to the validation - failure message that is returned when this - rule fails. Since messageExpression is used - as a failure message, it must evaluate to - a string. If both message and messageExpression - are present on a validation, then messageExpression - will be used if validation fails. If messageExpression - results in a runtime error, the runtime - error is logged, and the validation failure - message is produced as if the messageExpression - field were unset. If messageExpression evaluates - to an empty string, a string with only spaces, - or a string that contains line breaks, then - the validation failure message will also - be produced as if the messageExpression - field were unset, and the fact that messageExpression - produced an empty string/string with only - spaces/string with line breaks will be logged. - messageExpression has access to all the - same variables as the `expression` except - for ''authorizer'' and ''authorizer.requestResource''. - Example: "object.x must be less than max - ("+string(params.max)+")"' + description: |- + messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. + Since messageExpression is used as a failure message, it must evaluate to a string. + If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. + If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced + as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string + that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and + the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. + messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'. + Example: + "object.x must be less than max ("+string(params.max)+")" type: string reason: - description: 'Reason represents a machine-readable - description of why this validation failed. - If this is the first validation in the list - to fail, this reason, as well as the corresponding - HTTP response code, are used in the HTTP - response to the client. The currently supported - reasons are: "Unauthorized", "Forbidden", - "Invalid", "RequestEntityTooLarge". If not - set, StatusReasonInvalid is used in the - response to the client.' + description: |- + Reason represents a machine-readable description of why this validation failed. + If this is the first validation in the list to fail, this reason, as well as the + corresponding HTTP response code, are used in the + HTTP response to the client. + The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge". + If not set, StatusReasonInvalid is used in the response to the client. type: string required: - expression @@ -13648,13 +12863,15 @@ spec: and Version. properties: apiVersion: - description: APIVersion is the API group version - the resources belong to. In format of "group/version". + description: |- + APIVersion is the API group version the resources belong to. + In format of "group/version". Required. type: string kind: - description: Kind is the API kind the resources - belong to. Required. + description: |- + Kind is the API kind the resources belong to. + Required. type: string type: object x-kubernetes-map-type: atomic @@ -13662,82 +12879,83 @@ spec: description: ParamRef references a parameter resource. properties: name: - description: "`name` is the name of the resource - being referenced. \n `name` and `selector` - are mutually exclusive properties. If one - is set, the other must be unset." + description: |- + `name` is the name of the resource being referenced. + + + `name` and `selector` are mutually exclusive properties. If one is set, + the other must be unset. type: string namespace: - description: "namespace is the namespace of - the referenced resource. Allows limiting the - search for params to a specific namespace. - Applies to both `name` and `selector` fields. - \n A per-namespace parameter may be used by - specifying a namespace-scoped `paramKind` - in the policy and leaving this field empty. - \n - If `paramKind` is cluster-scoped, this - field MUST be unset. Setting this field results - in a configuration error. \n - If `paramKind` - is namespace-scoped, the namespace of the - object being evaluated for admission will - be used when this field is left unset. Take - care that if this is left empty the binding - must not match any cluster-scoped resources, - which will result in an error." + description: |- + namespace is the namespace of the referenced resource. Allows limiting + the search for params to a specific namespace. Applies to both `name` and + `selector` fields. + + + A per-namespace parameter may be used by specifying a namespace-scoped + `paramKind` in the policy and leaving this field empty. + + + - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this + field results in a configuration error. + + + - If `paramKind` is namespace-scoped, the namespace of the object being + evaluated for admission will be used when this field is left unset. Take + care that if this is left empty the binding must not match any cluster-scoped + resources, which will result in an error. type: string parameterNotFoundAction: - description: "`parameterNotFoundAction` controls - the behavior of the binding when the resource - exists, and name or selector is valid, but - there are no parameters matched by the binding. - If the value is set to `Allow`, then no matched - parameters will be treated as successful validation - by the binding. If set to `Deny`, then no - matched parameters will be subject to the - `failurePolicy` of the policy. \n Allowed - values are `Allow` or `Deny` Default to `Deny`" + description: |- + `parameterNotFoundAction` controls the behavior of the binding when the resource + exists, and name or selector is valid, but there are no parameters + matched by the binding. If the value is set to `Allow`, then no + matched parameters will be treated as successful validation by the binding. + If set to `Deny`, then no matched parameters will be subject to the + `failurePolicy` of the policy. + + + Allowed values are `Allow` or `Deny` + Default to `Deny` type: string selector: - description: "selector can be used to match - multiple param objects based on their labels. - Supply selector: {} to match all resources - of the ParamKind. \n If multiple params are - found, they are all evaluated with the policy - expressions and the results are ANDed together. - \n One of `name` or `selector` must be set, - but `name` and `selector` are mutually exclusive - properties. If one is set, the other must - be unset." + description: |- + selector can be used to match multiple param objects based on their labels. + Supply selector: {} to match all resources of the ParamKind. + + + If multiple params are found, they are all evaluated with the policy expressions + and the results are ANDed together. + + + One of `name` or `selector` must be set, but `name` and `selector` are + mutually exclusive properties. If one is set, the other must be unset. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -13749,41 +12967,34 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object x-kubernetes-map-type: atomic variables: - description: Variables contain definitions of variables - that can be used in composition of other expressions. + description: |- + Variables contain definitions of variables that can be used in composition of other expressions. Each variable is defined as a named CEL expression. - The variables defined here will be available under - `variables` in other expressions of the policy. + The variables defined here will be available under `variables` in other expressions of the policy. items: description: Variable is the definition of a variable that is used for composition. properties: expression: - description: Expression is the expression - that will be evaluated as the value of the - variable. The CEL expression has access - to the same identifiers as the CEL expressions - in Validation. + description: |- + Expression is the expression that will be evaluated as the value of the variable. + The CEL expression has access to the same identifiers as the CEL expressions in Validation. type: string name: - description: Name is the name of the variable. - The name must be a valid CEL identifier - and unique among all variables. The variable - can be accessed in other expressions through - `variables` For example, if name is "foo", - the variable will be available as `variables.foo` + description: |- + Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables. + The variable can be accessed in other expressions through `variables` + For example, if name is "foo", the variable will be available as `variables.foo` type: string required: - expression @@ -13796,12 +13007,11 @@ spec: fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct list - of conditions (without `any` or `all` statements) - is also supported for backwards compatibility + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object foreach: @@ -13816,24 +13026,22 @@ spec: apply the specified logic. properties: anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must - be satisfied for the validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true context: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST @@ -13856,15 +13064,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -13879,25 +13084,23 @@ spec: to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web - service URL. A typical form is + description: |- + URL is the JSON web service URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string @@ -13917,9 +13120,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials @@ -13931,11 +13134,9 @@ spec: allows insecure access to a registry. type: boolean providers: - description: 'Providers specifies - a list of OCI Registry names, - whose authentication providers - are provided. It can be of one - of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -13949,25 +13150,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a - list of secrets that are provided - for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -13981,15 +13180,14 @@ spec: defined inline. properties: default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary @@ -14004,48 +13202,44 @@ spec: or fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct - list of conditions (without `any` or `all` - statements) is also supported for backwards - compatibility but will be deprecated in - the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object elementScope: - description: ElementScope specifies whether to - use the current list element as the scope for - validation. Defaults to "true" if not specified. - When set to "false", "request.object" is used - as the validation scope within the foreach block - to allow referencing other elements in the subtree. + description: |- + ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified. + When set to "false", "request.object" is used as the validation scope within the foreach + block to allow referencing other elements in the subtree. type: boolean foreach: description: Foreach declares a nested foreach iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which - the validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string pattern: description: Pattern specifies an overlay-style pattern used to check resources. x-kubernetes-preserve-unknown-fields: true preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -14060,14 +13254,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -14087,20 +13278,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -14115,14 +13304,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -14142,10 +13328,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -14168,31 +13353,25 @@ spec: items: properties: count: - description: Count specifies the required - number of entries that must match. If the - count is null, all entries must match (a - logical AND). If the count is 1, at least - one entry must match (a logical OR). If - the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or - a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set @@ -14213,21 +13392,14 @@ spec: used to verify. type: string ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -14235,36 +13407,25 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -14275,9 +13436,9 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless - attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: additionalProperties: @@ -14287,21 +13448,14 @@ spec: for keyless signing. type: object ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -14309,15 +13463,10 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -14325,24 +13474,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -14352,10 +13495,9 @@ spec: type: string type: object roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, - the system roots are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -14368,21 +13510,14 @@ spec: public keys. properties: ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -14390,63 +13525,41 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI - to the public key stored in a - Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable - reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -14482,12 +13595,9 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository - will override other OCI image repository - locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -14528,10 +13638,9 @@ spec: type: object type: array repository: - description: Repository is an optional alternate - OCI repository to use for resource bundle reference. - The repository can be overridden per Attestor - or Attestation. + description: |- + Repository is an optional alternate OCI repository to use for resource bundle reference. + The repository can be overridden per Attestor or Attestation. type: string type: object message: @@ -14543,9 +13652,9 @@ spec: used to check resources. x-kubernetes-preserve-unknown-fields: true podSecurity: - description: PodSecurity applies exemptions for Kubernetes - Pod Security admission by specifying exclusions for - Pod Security Standards controls. + description: |- + PodSecurity applies exemptions for Kubernetes Pod Security admission + by specifying exclusions for Pod Security Standards controls. properties: exclude: description: Exclude specifies the Pod Security @@ -14555,9 +13664,9 @@ spec: Pod Security Standard controls to be excluded. properties: controlName: - description: 'ControlName specifies the name - of the Pod Security Standard control. See: - https://kubernetes.io/docs/concepts/security/pod-security-standards/' + description: |- + ControlName specifies the name of the Pod Security Standard control. + See: https://kubernetes.io/docs/concepts/security/pod-security-standards/ enum: - HostProcess - Host Namespaces @@ -14576,14 +13685,11 @@ spec: - Running as Non-root user type: string images: - description: 'Images selects matching containers - and applies the container level PSS. Each - image is the image name consisting of the - registry address, repository, image, and - tag. Empty list matches no containers, PSS - checks are applied at the pod level only. - Wildcards (''*'' and ''?'') are allowed. - See: https://kubernetes.io/docs/concepts/containers/images.' + description: |- + Images selects matching containers and applies the container level PSS. + Each image is the image name consisting of the registry address, repository, image, and tag. + Empty list matches no containers, PSS checks are applied at the pod level only. + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -14592,19 +13698,18 @@ spec: type: object type: array level: - description: Level defines the Pod Security Standard - level to be applied to workloads. Allowed values - are privileged, baseline, and restricted. + description: |- + Level defines the Pod Security Standard level to be applied to workloads. + Allowed values are privileged, baseline, and restricted. enum: - privileged - baseline - restricted type: string version: - description: Version defines the Pod Security Standard - versions that Kubernetes supports. Allowed values - are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, - v1.25, v1.26, latest. Defaults to latest. + description: |- + Version defines the Pod Security Standard versions that Kubernetes supports. + Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, latest. Defaults to latest. enum: - v1.19 - v1.20 @@ -14622,10 +13727,10 @@ spec: description: VerifyImages is used to verify image signatures and mutate them to add a digest items: - description: ImageVerification validates that images that - match the specified pattern are signed with the supplied - public key. Once the image is verified it is mutated - to include the SHA digest retrieved during the registration. + description: |- + ImageVerification validates that images that match the specified pattern + are signed with the supplied public key. Once the image is verified it is + mutated to include the SHA digest retrieved during the registration. properties: additionalExtensions: additionalProperties: @@ -14639,17 +13744,15 @@ spec: instead. type: object attestations: - description: Attestations are optional checks for - signed in-toto Statements used to verify the image. - See https://github.com/in-toto/attestation. Kyverno - fetches signed attestations from the OCI registry - and decodes them into a list of Statement declarations. + description: |- + Attestations are optional checks for signed in-toto Statements used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statement declarations. items: - description: Attestation are checks for signed in-toto - Statements that are used to verify the image. - See https://github.com/in-toto/attestation. Kyverno - fetches signed attestations from the OCI registry - and decodes them into a list of Statements. + description: |- + Attestation are checks for signed in-toto Statements that are used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statements. properties: attestors: description: Attestors specify the required @@ -14657,33 +13760,25 @@ spec: items: properties: count: - description: Count specifies the required - number of entries that must match. If - the count is null, all entries must - match (a logical AND). If the count - is 1, at least one entry must match - (a logical OR). If the count contains - a value N, then N must be less than - or equal to the size of entries, and - at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static - key, attributes for keyless verification, - or a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used - for image verification. Every - specified key-value pair must - exist and match in the verified - payload. The payload may contain - other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested @@ -14704,23 +13799,14 @@ spec: certificates used to verify. type: string ctlog: - description: CTLog (certificate - timestamp log) provides a - configuration for validation - of Signed Certificate Timestamps - (SCTs). If the value is unset, - the default behavior by Cosign - is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp - (SCT) log to check for - a certificate timestamp. - Default is false. Set - to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if @@ -14729,27 +13815,16 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, - if set, is the PEM-encoded - certificate chain file - for the RFC3161 timestamp - authority. Must contain - the root CA certificate. - Optionally may contain - intermediate CA certificates, - and may contain the leaf - TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If an empty object is provided - the public instance of Rekor - (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog @@ -14757,13 +13832,9 @@ spec: verification. type: boolean pubkey: - description: RekorPubKey - is an optional PEM-encoded - public key to use for - a custom Rekor. If set, - this will be used to validate - transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the @@ -14774,9 +13845,9 @@ spec: type: object type: object keyless: - description: Keyless is a set of - attribute used to verify a Sigstore - keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: additionalProperties: @@ -14786,23 +13857,14 @@ spec: used for keyless signing. type: object ctlog: - description: CTLog (certificate - timestamp log) provides a - configuration for validation - of Signed Certificate Timestamps - (SCTs). If the value is unset, - the default behavior by Cosign - is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp - (SCT) log to check for - a certificate timestamp. - Default is false. Set - to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if @@ -14811,17 +13873,10 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, - if set, is the PEM-encoded - certificate chain file - for the RFC3161 timestamp - authority. Must contain - the root CA certificate. - Optionally may contain - intermediate CA certificates, - and may contain the leaf - TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -14829,13 +13884,9 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If an empty object is provided - the public instance of Rekor - (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog @@ -14843,13 +13894,9 @@ spec: verification. type: boolean pubkey: - description: RekorPubKey - is an optional PEM-encoded - public key to use for - a custom Rekor. If set, - this will be used to validate - transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the @@ -14859,11 +13906,9 @@ spec: type: string type: object roots: - description: Roots is an optional - set of PEM encoded trusted - root certificates. If not - provided, the system roots - are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the @@ -14877,23 +13922,14 @@ spec: or more public keys. properties: ctlog: - description: CTLog (certificate - timestamp log) provides a - configuration for validation - of Signed Certificate Timestamps - (SCTs). If the value is unset, - the default behavior by Cosign - is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp - (SCT) log to check for - a certificate timestamp. - Default is false. Set - to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if @@ -14902,56 +13938,32 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, - if set, is the PEM-encoded - certificate chain file - for the RFC3161 timestamp - authority. Must contain - the root CA certificate. - Optionally may contain - intermediate CA certificates, - and may contain the leaf - TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the - URI to the public key stored - in a Key Management System. - See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of - X.509 public keys used to - verify image signatures. The - keys can be directly specified - or can be a variable reference - to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a - separate staticKey entry (.attestors[*].entries.keys) - within the set of attestors - and the count is applied across - the keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If an empty object is provided - the public instance of Rekor - (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog @@ -14959,13 +13971,9 @@ spec: verification. type: boolean pubkey: - description: RekorPubKey - is an optional PEM-encoded - public key to use for - a custom Rekor. If set, - this will be used to validate - transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the @@ -15002,40 +14010,30 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use - for signatures and attestations - that match this rule. If specified - Repository will override other - OCI image repository locations - for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array type: object type: array conditions: - description: Conditions are used to verify attributes - within a Predicate. If no Conditions are specified - the attestation check is satisfied as long - there are predicates that match the predicate - type. + description: |- + Conditions are used to verify attributes within a Predicate. If no Conditions are specified + the attestation check is satisfied as long there are predicates that match the predicate type. items: - description: AnyAllConditions consists of - conditions wrapped denoting a logical criteria - to be fulfilled. AnyConditions get fulfilled - when at least one of its sub-conditions - passes. AllConditions get fulfilled only - when all of its sub-conditions pass. + description: |- + AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled. + AnyConditions get fulfilled when at least one of its sub-conditions passes. + AllConditions get fulfilled only when all of its sub-conditions pass. properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is - useful for finer control of when an - rule is applied. A condition can reference - object data using JMESPath notation. - Here, all of the conditions need to - pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -15050,14 +14048,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -15077,21 +14072,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is - useful for finer control of when an - rule is applied. A condition can reference - object data using JMESPath notation. - Here, at least one of the conditions - need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -15106,14 +14098,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -15133,10 +14122,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -15158,31 +14146,25 @@ spec: items: properties: count: - description: Count specifies the required number - of entries that must match. If the count is - null, all entries must match (a logical AND). - If the count is 1, at least one entry must - match (a logical OR). If the count contains - a value N, then N must be less than or equal - to the size of entries, and at least N entries - must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or a - nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set @@ -15203,21 +14185,14 @@ spec: used to verify. type: string ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior by - Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed Certificate - Timestamp (SCT) log to check - for a certificate timestamp. - Default is false. Set to true - if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -15225,35 +14200,25 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the - root CA certificate. Optionally - may contain intermediate CA - certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an - optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used to - validate transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -15264,8 +14229,8 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: @@ -15276,21 +14241,14 @@ spec: for keyless signing. type: object ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior by - Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed Certificate - Timestamp (SCT) log to check - for a certificate timestamp. - Default is false. Set to true - if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -15298,15 +14256,10 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the - root CA certificate. Optionally - may contain intermediate CA - certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -15314,23 +14267,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an - optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used to - validate transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -15340,10 +14288,9 @@ spec: type: string type: object roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, the - system roots are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -15356,21 +14303,14 @@ spec: public keys. properties: ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior by - Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed Certificate - Timestamp (SCT) log to check - for a certificate timestamp. - Default is false. Set to true - if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -15378,61 +14318,41 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the - root CA certificate. Optionally - may contain intermediate CA - certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI - to the public key stored in a Key - Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable reference - to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format "k8s:///". - The named Secret must specify a - key `cosign.pub` containing the - public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an - optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used to - validate transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -15467,12 +14387,9 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository will - override other OCI image repository - locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -15482,13 +14399,11 @@ spec: description: Deprecated. Use ImageReferences instead. type: string imageReferences: - description: 'ImageReferences is a list of matching - image reference patterns. At least one pattern in - the list must match the image for the rule to apply. - Each image reference consists of a registry address - (defaults to docker.io), repository, image, and - tag (defaults to latest). Wildcards (''*'' and ''?'') - are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' + description: |- + ImageReferences is a list of matching image reference patterns. At least one pattern in the + list must match the image for the rule to apply. Each image reference consists of a registry + address (defaults to docker.io), repository, image, and tag (defaults to latest). + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -15501,10 +14416,9 @@ spec: access to a registry. type: boolean providers: - description: 'Providers specifies a list of OCI - Registry names, whose authentication providers - are provided. It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers @@ -15518,9 +14432,9 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets - that are provided for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array @@ -15533,16 +14447,15 @@ spec: type: string mutateDigest: default: true - description: MutateDigest enables replacement of image - tags with digests. Defaults to true. + description: |- + MutateDigest enables replacement of image tags with digests. + Defaults to true. type: boolean repository: - description: Repository is an optional alternate OCI - repository to use for image signatures and attestations - that match this rule. If specified Repository will - override the default OCI image repository configured - for the installation. The repository can also be - overridden per Attestor or Attestation. + description: |- + Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule. + If specified Repository will override the default OCI image repository configured for the installation. + The repository can also be overridden per Attestor or Attestation. type: string required: default: true @@ -15557,9 +14470,9 @@ spec: description: Deprecated. Use KeylessAttestor instead. type: string type: - description: Type specifies the method of signature - validation. The allowed options are Cosign and Notary. - By default Cosign is used if a type is not specified. + description: |- + Type specifies the method of signature validation. The allowed options + are Cosign and Notary. By default Cosign is used if a type is not specified. enum: - Cosign - Notary @@ -15584,42 +14497,42 @@ spec: conditions: items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -15633,11 +14546,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -15653,8 +14567,9 @@ spec: description: Deprecated in favor of Conditions type: boolean rulecount: - description: RuleCountStatus contains four variables which describes - counts for validate, generate, mutate and verify images rules + description: |- + RuleCountStatus contains four variables which describes counts for + validate, generate, mutate and verify images rules properties: generate: description: Count for generate rules in policy @@ -15682,10 +14597,9 @@ spec: policy is generated from the policy or not type: boolean message: - description: Message is a human readable message indicating details - about the generation of validating admission policy It is an - empty string when validating admission policy is successfully - generated. + description: |- + Message is a human readable message indicating details about the generation of validating admission policy + It is an empty string when validating admission policy is successfully generated. type: string required: - generated @@ -15747,14 +14661,19 @@ spec: for matching resources. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -15763,94 +14682,98 @@ spec: properties: admission: default: true - description: Admission controls if rules are applied during admission. + description: |- + Admission controls if rules are applied during admission. Optional. Default value is "true". type: boolean applyRules: - description: ApplyRules controls how rules in a policy are applied. - Rule are processed in the order of declaration. When set to `One` - processing stops after a rule has been applied i.e. the rule matches - and results in a pass, fail, or error. When set to `All` all rules - in the policy are processed. The default is `All`. + description: |- + ApplyRules controls how rules in a policy are applied. Rule are processed in + the order of declaration. When set to `One` processing stops after a rule has + been applied i.e. the rule matches and results in a pass, fail, or error. When + set to `All` all rules in the policy are processed. The default is `All`. enum: - All - One type: string background: default: true - description: Background controls if rules are applied to existing - resources during a background scan. Optional. Default value is "true". - The value must be set to "false" if the policy rule uses variables - that are only available in the admission review request (e.g. user - name). + description: |- + Background controls if rules are applied to existing resources during a background scan. + Optional. Default value is "true". The value must be set to "false" if the policy rule + uses variables that are only available in the admission review request (e.g. user name). type: boolean failurePolicy: - description: FailurePolicy defines how unexpected policy errors and - webhook response timeout errors are handled. Rules within the same - policy share the same failure behavior. Allowed values are Ignore - or Fail. Defaults to Fail. + description: |- + FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. + Rules within the same policy share the same failure behavior. + Allowed values are Ignore or Fail. Defaults to Fail. enum: - Ignore - Fail type: string generateExisting: - description: GenerateExisting controls whether to trigger generate - rule in existing resources If is set to "true" generate rule will - be triggered and applied to existing matched resources. Defaults - to "false" if not specified. + description: |- + GenerateExisting controls whether to trigger generate rule in existing resources + If is set to "true" generate rule will be triggered and applied to existing matched resources. + Defaults to "false" if not specified. type: boolean generateExistingOnPolicyUpdate: description: Deprecated, use generateExisting instead type: boolean mutateExistingOnPolicyUpdate: - description: MutateExistingOnPolicyUpdate controls if a mutateExisting - policy is applied on policy events. Default value is "false". + description: |- + MutateExistingOnPolicyUpdate controls if a mutateExisting policy is applied on policy events. + Default value is "false". type: boolean rules: - description: Rules is a list of Rule instances. A Policy contains - multiple rules and each rule can validate, mutate, or generate resources. + description: |- + Rules is a list of Rule instances. A Policy contains multiple rules and + each rule can validate, mutate, or generate resources. items: - description: Rule defines a validation, mutation, or generation - control for matching resources. Each rules contains a match declaration - to select resources, and an optional exclude declaration to specify - which resources to exclude. + description: |- + Rule defines a validation, mutation, or generation control for matching resources. + Each rules contains a match declaration to select resources, and an optional exclude + declaration to specify which resources to exclude. properties: celPreconditions: - description: CELPreconditions are used to determine if a policy - rule should be applied by evaluating a set of CEL conditions. - It can only be used with the validate.cel subrule + description: |- + CELPreconditions are used to determine if a policy rule should be applied by evaluating a + set of CEL conditions. It can only be used with the validate.cel subrule items: description: MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook. properties: expression: - description: "Expression represents the expression which - will be evaluated by CEL. Must evaluate to bool. CEL - expressions have access to the contents of the AdmissionRequest - and Authorizer, organized into CEL variables: \n 'object' - - The object from the incoming request. The value is - null for DELETE requests. 'oldObject' - The existing - object. The value is null for CREATE requests. 'request' - - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). - 'authorizer' - A CEL Authorizer. May be used to perform - authorization checks for the principal (user or service - account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - 'authorizer.requestResource' - A CEL ResourceCheck constructed - from the 'authorizer' and configured with the request - resource. Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ - \n Required." + description: |- + Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. + CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: + + + 'object' - The object from the incoming request. The value is null for DELETE requests. + 'oldObject' - The existing object. The value is null for CREATE requests. + 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. + See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the + request resource. + Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ + + + Required. type: string name: - description: "Name is an identifier for this match condition, - used for strategic merging of MatchConditions, as well - as providing an identifier for logging purposes. A good - name should be descriptive of the associated expression. - Name must be a qualified name consisting of alphanumeric - characters, '-', '_' or '.', and must start and end - with an alphanumeric character (e.g. 'MyName', or 'my.name', - \ or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') - with an optional DNS subdomain prefix and '/' (e.g. - 'example.com/MyName') \n Required." + description: |- + Name is an identifier for this match condition, used for strategic merging of MatchConditions, + as well as providing an identifier for logging purposes. A good name should be descriptive of + the associated expression. + Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and + must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or + '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an + optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') + + + Required. type: string required: - expression @@ -15861,15 +14784,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data sources - to a rule Context. Either a ConfigMap reference or a APILookup - must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the Kubernetes - API server, or other JSON web service. The data returned - is stored in the context with the name for the context - entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data sent to @@ -15891,13 +14813,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the JSON response - returned from the server. For example a JMESPath - of "items | length(@)" applied to the API server - response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across - all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -15912,22 +14833,24 @@ spec: service properties: caBundle: - description: CABundle is a PEM encoded CA bundle - which will be used to validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web service URL. - A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to be used in - the HTTP GET or POST request to the Kubernetes API - server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used by the - `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -15944,8 +14867,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests to an OCI/Docker - V2 registry to fetch image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials provides credentials @@ -15956,10 +14880,9 @@ spec: access to a registry. type: boolean providers: - description: 'Providers specifies a list of OCI - Registry names, whose authentication providers - are provided. It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers @@ -15973,21 +14896,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets - that are provided for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the ImageData struct - returned as a result of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference to a container - image in the registry. Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -16000,13 +14925,14 @@ spec: variable that can be defined inline. properties: default: - description: Default is an optional arbitrary JSON - object that the variable may take if the JMESPath + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath Expression - that can be used to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON object representable @@ -16016,10 +14942,10 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when this policy rule - should not be applied. The exclude criteria can include resource - information (e.g. kind, name, namespace, labels) and admission - review request information like the name or role. + description: |- + ExcludeResources defines when this policy rule should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. properties: all: description: All allows specifying resources which will @@ -16041,11 +14967,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -16053,58 +14978,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -16117,20 +15033,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -16150,42 +15063,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -16198,12 +15104,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -16218,32 +15122,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -16274,11 +15173,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -16286,58 +15184,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -16350,20 +15239,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -16383,42 +15269,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -16431,12 +15310,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -16451,32 +15328,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -16495,10 +15367,10 @@ spec: description: APIVersion specifies resource apiVersion. type: string clone: - description: Clone specifies the source resource used to - populate each generated resource. At most one of Data - or Clone can be specified. If neither are provided, the - generated resource will be created with default data only. + description: |- + Clone specifies the source resource used to populate each generated resource. + At most one of Data or Clone can be specified. If neither are provided, the generated + resource will be created with default data only. properties: name: description: Name specifies name of the resource. @@ -16520,34 +15392,33 @@ spec: description: Namespace specifies source resource namespace. type: string selector: - description: Selector is a label selector. Label keys - and values in `matchLabels`. wildcard characters are - not supported. + description: |- + Selector is a label selector. Label keys and values in `matchLabels`. + wildcard characters are not supported. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -16559,21 +15430,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object data: - description: Data provides the resource declaration used - to populate each generated resource. At most one of Data - or Clone must be specified. If neither are provided, the - generated resource will be created with default data only. + description: |- + Data provides the resource declaration used to populate each generated resource. + At most one of Data or Clone must be specified. If neither are provided, the generated + resource will be created with default data only. x-kubernetes-preserve-unknown-fields: true kind: description: Kind specifies resource kind. @@ -16585,12 +15454,11 @@ spec: description: Namespace specifies resource namespace. type: string synchronize: - description: Synchronize controls if generated resources - should be kept in-sync with their source resource. If - Synchronize is set to "true" changes to generated resources - will be overwritten with resource data from Data or the - resource specified in the Clone declaration. Optional. - Defaults to "false" if not specified. + description: |- + Synchronize controls if generated resources should be kept in-sync with their source resource. + If Synchronize is set to "true" changes to generated resources will be overwritten with resource + data from Data or the resource specified in the Clone declaration. + Optional. Defaults to "false" if not specified. type: boolean uid: description: UID specifies the resource uid. @@ -16601,50 +15469,47 @@ spec: items: properties: jmesPath: - description: 'JMESPath is an optional JMESPath expression - to apply to the image value. This is useful when the - extracted image begins with a prefix like ''docker://''. - The ''trim_prefix'' function may be used to trim the - prefix: trim_prefix(@, ''docker://''). Note - Image - digest mutation may not be used when applying a JMESPAth - to an image.' + description: |- + JMESPath is an optional JMESPath expression to apply to the image value. + This is useful when the extracted image begins with a prefix like 'docker://'. + The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://'). + Note - Image digest mutation may not be used when applying a JMESPAth to an image. type: string key: - description: Key is an optional name of the field within - 'path' that will be used to uniquely identify an image. + description: |- + Key is an optional name of the field within 'path' that will be used to uniquely identify an image. Note - this field MUST be unique. type: string name: - description: Name is the entry the image will be available - under 'images.' in the context. If this field - is not defined, image entries will appear under 'images.custom'. + description: |- + Name is the entry the image will be available under 'images.' in the context. + If this field is not defined, image entries will appear under 'images.custom'. type: string path: - description: Path is the path to the object containing - the image field in a custom resource. It should be - slash-separated. Each slash-separated key must be - a valid YAML key or a wildcard '*'. Wildcard keys - are expanded in case of arrays or objects. + description: |- + Path is the path to the object containing the image field in a custom resource. + It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'. + Wildcard keys are expanded in case of arrays or objects. type: string value: - description: Value is an optional name of the field - within 'path' that points to the image URI. This is - useful when a custom 'key' is also defined. + description: |- + Value is an optional name of the field within 'path' that points to the image URI. + This is useful when a custom 'key' is also defined. type: string required: - path type: object type: array - description: ImageExtractors defines a mapping from kinds to - ImageExtractorConfigs. This config is only valid for verifyImages - rules. + description: |- + ImageExtractors defines a mapping from kinds to ImageExtractorConfigs. + This config is only valid for verifyImages rules. type: object match: - description: MatchResources defines when this policy rule should - be applied. The match criteria can include resource information - (e.g. kind, name, namespace, labels) and admission review - request information like the user name or role. At least one - kind is required. + description: |- + MatchResources defines when this policy rule should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. + At least one kind is required. properties: all: description: All allows specifying resources which will @@ -16666,11 +15531,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -16678,58 +15542,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -16742,20 +15597,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -16775,42 +15627,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -16823,12 +15668,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -16843,32 +15686,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -16899,11 +15737,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -16911,58 +15748,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -16975,20 +15803,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -17008,42 +15833,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -17056,12 +15874,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -17076,32 +15892,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -17130,15 +15941,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data @@ -17160,14 +15970,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -17182,25 +15990,24 @@ spec: JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate the server certificate. type: string url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -17218,8 +16025,8 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. properties: imageRegistryCredentials: @@ -17232,11 +16039,9 @@ spec: insecure access to a registry. type: boolean providers: - description: 'Providers specifies a - list of OCI Registry names, whose - authentication providers are provided. - It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -17250,23 +16055,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list - of secrets that are provided for credentials. + description: |- + Secrets specifies a list of secrets that are provided for credentials. Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -17279,15 +16084,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON @@ -17300,42 +16104,41 @@ spec: description: Foreach declares a nested foreach iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which the - validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string order: - description: Order defines the iteration order on - the list. Can be Ascending to iterate from first - to last element or Descending to iterate in from - last to first element. + description: |- + Order defines the iteration order on the list. + Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element. enum: - Ascending - Descending type: string patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge - patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 - JSON Patch declarations used to modify resources. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, all of the conditions need to - pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -17349,13 +16152,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -17375,20 +16176,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, at least one of the conditions - need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -17402,13 +16201,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -17428,10 +16225,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -17440,14 +16236,15 @@ spec: type: object type: array patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge patch - used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON - Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string targets: description: Targets defines the target resources to be @@ -17463,15 +16260,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data @@ -17493,14 +16289,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -17515,25 +16309,24 @@ spec: JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate the server certificate. type: string url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -17551,8 +16344,8 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. properties: imageRegistryCredentials: @@ -17565,11 +16358,9 @@ spec: insecure access to a registry. type: boolean providers: - description: 'Providers specifies a - list of OCI Registry names, whose - authentication providers are provided. - It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -17583,23 +16374,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list - of secrets that are provided for credentials. + description: |- + Secrets specifies a list of secrets that are provided for credentials. Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -17612,15 +16403,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON @@ -17639,13 +16429,12 @@ spec: description: Namespace specifies resource namespace. type: string preconditions: - description: 'Preconditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. A direct list - of conditions (without `any` or `all` statements - is supported for backwards compatibility but will - be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true uid: description: UID specifies the resource uid. @@ -17659,17 +16448,17 @@ spec: maxLength: 63 type: string preconditions: - description: 'Preconditions are used to determine if a policy - rule should be applied by evaluating a set of conditions. - The declaration can contain nested `any` or `all` statements. - See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based conditional - rule execution. This is useful for finer control of when - an rule is applied. A condition can reference object data - using JMESPath notation. Here, all of the conditions need - to pass. + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass. items: properties: key: @@ -17680,11 +16469,11 @@ spec: description: Message is an optional display message type: string operator: - description: 'Operator is the conditional operation - to perform. Valid operators are: Equals, NotEquals, - In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -17702,18 +16491,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, or set - of values. The values can be fixed set or can be - variables declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based conditional - rule execution. This is useful for finer control of when - an rule is applied. A condition can reference object data - using JMESPath notation. Here, at least one of the conditions - need to pass. + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass. items: properties: key: @@ -17724,11 +16513,11 @@ spec: description: Message is an optional display message type: string operator: - description: 'Operator is the conditional operation - to perform. Valid operators are: Equals, NotEquals, - In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -17746,27 +16535,27 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, or set - of values. The values can be fixed set or can be - variables declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array type: object skipBackgroundRequests: default: true - description: SkipBackgroundRequests bypasses admission requests - that are sent by the background controller. The default value - is set to "true", it must be set to "false" to apply generate - and mutateExisting rules to those requests. + description: |- + SkipBackgroundRequests bypasses admission requests that are sent by the background controller. + The default value is set to "true", it must be set to "false" to apply + generate and mutateExisting rules to those requests. type: boolean validate: description: Validation is used to validate matching resources. properties: anyPattern: - description: AnyPattern specifies list of validation patterns. - At least one of the patterns must be satisfied for the - validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true cel: description: CEL allows validation checks using the Common @@ -17781,39 +16570,45 @@ spec: an audit annotation for an API request. properties: key: - description: "key specifies the audit annotation - key. The audit annotation keys of a ValidatingAdmissionPolicy - must be unique. The key must be a qualified - name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than - 63 bytes in length. \n The key is combined with - the resource name of the ValidatingAdmissionPolicy - to construct an audit annotation key: \"{ValidatingAdmissionPolicy - name}/{key}\". \n If an admission webhook uses - the same resource name as this ValidatingAdmissionPolicy - and the same audit annotation key, the annotation - key will be identical. In this case, the first - annotation written with the key will be included - in the audit event and all subsequent annotations - with the same key will be discarded. \n Required." + description: |- + key specifies the audit annotation key. The audit annotation keys of + a ValidatingAdmissionPolicy must be unique. The key must be a qualified + name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length. + + + The key is combined with the resource name of the + ValidatingAdmissionPolicy to construct an audit annotation key: + "{ValidatingAdmissionPolicy name}/{key}". + + + If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy + and the same audit annotation key, the annotation key will be identical. + In this case, the first annotation written with the key will be included + in the audit event and all subsequent annotations with the same key + will be discarded. + + + Required. type: string valueExpression: - description: "valueExpression represents the expression - which is evaluated by CEL to produce an audit - annotation value. The expression must evaluate - to either a string or null value. If the expression - evaluates to a string, the audit annotation - is included with the string value. If the expression - evaluates to null or empty string the audit - annotation will be omitted. The valueExpression - may be no longer than 5kb in length. If the - result of the valueExpression is more than 10kb - in length, it will be truncated to 10kb. \n - If multiple ValidatingAdmissionPolicyBinding - resources match an API request, then the valueExpression - will be evaluated for each binding. All unique - values produced by the valueExpressions will - be joined together in a comma-separated list. - \n Required." + description: |- + valueExpression represents the expression which is evaluated by CEL to + produce an audit annotation value. The expression must evaluate to either + a string or null value. If the expression evaluates to a string, the + audit annotation is included with the string value. If the expression + evaluates to null or empty string the audit annotation will be omitted. + The valueExpression may be no longer than 5kb in length. + If the result of the valueExpression is more than 10kb in length, it + will be truncated to 10kb. + + + If multiple ValidatingAdmissionPolicyBinding resources match an + API request, then the valueExpression will be evaluated for + each binding. All unique values produced by the valueExpressions + will be joined together in a comma-separated list. + + + Required. type: string required: - key @@ -17829,113 +16624,99 @@ spec: properties: expression: description: "Expression represents the expression - which will be evaluated by CEL. ref: https://github.com/google/cel-spec - CEL expressions have access to the contents - of the API request/response, organized into - CEL variables as well as some other useful variables: - \n - 'object' - The object from the incoming - request. The value is null for DELETE requests. - - 'oldObject' - The existing object. The value - is null for CREATE requests. - 'request' - Attributes - of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - - 'params' - Parameter resource referred to - by the policy binding being evaluated. Only - populated if the policy has a ParamKind. - 'namespaceObject' + which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL + expressions have access to the contents of the + API request/response, organized into CEL variables + as well as some other useful variables:\n\n\n- + 'object' - The object from the incoming request. + The value is null for DELETE requests.\n- 'oldObject' + - The existing object. The value is null for + CREATE requests.\n- 'request' - Attributes of + the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- + 'params' - Parameter resource referred to by + the policy binding being evaluated. Only populated + if the policy has a ParamKind.\n- 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped - resources. - 'variables' - Map of composited + resources.\n- 'variables' - Map of composited variables, from its name to its lazily evaluated - value. For example, a variable named 'foo' can - be accessed as 'variables.foo'. - 'authorizer' + value.\n For example, a variable named 'foo' + can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) - of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - - 'authorizer.requestResource' - A CEL ResourceCheck + of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured - with the request resource. \n The `apiVersion`, + with the\n request resource.\n\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` - are always accessible from the root of the object. - No other metadata properties are accessible. - \n Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` - are accessible. Accessible property names are + are always accessible from the root of the\nobject. + No other metadata properties are accessible.\n\n\nOnly + property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` + are accessible.\nAccessible property names are escaped according to the following rules when - accessed in the expression: - '__' escapes to - '__underscores__' - '.' escapes to '__dot__' - - '-' escapes to '__dash__' - '/' escapes to - '__slash__' - Property names that exactly match + accessed in the expression:\n- '__' escapes + to '__underscores__'\n- '.' escapes to '__dot__'\n- + '-' escapes to '__dash__'\n- '/' escapes to + '__slash__'\n- Property names that exactly match a CEL RESERVED keyword escape to '__{keyword}__'. - The keywords are: \"true\", \"false\", \"null\", - \"in\", \"as\", \"break\", \"const\", \"continue\", - \"else\", \"for\", \"function\", \"if\", \"import\", - \"let\", \"loop\", \"package\", \"namespace\", - \"return\". Examples: - Expression accessing - a property named \"namespace\": {\"Expression\": - \"object.__namespace__ > 0\"} - Expression accessing - a property named \"x-prop\": {\"Expression\": - \"object.x__dash__prop > 0\"} - Expression accessing - a property named \"redact__d\": {\"Expression\": - \"object.redact__underscores__d > 0\"} \n Equality - on arrays with list type of 'set' or 'map' ignores - element order, i.e. [1, 2] == [2, 1]. Concatenation - on arrays with x-kubernetes-list-type use the - semantics of the list type: - 'set': `X + Y` - performs a union where the array positions of - all elements in `X` are preserved and non-intersecting + The keywords are:\n\t \"true\", \"false\", + \"null\", \"in\", \"as\", \"break\", \"const\", + \"continue\", \"else\", \"for\", \"function\", + \"if\",\n\t \"import\", \"let\", \"loop\", + \"package\", \"namespace\", \"return\".\nExamples:\n + \ - Expression accessing a property named \"namespace\": + {\"Expression\": \"object.__namespace__ > 0\"}\n + \ - Expression accessing a property named \"x-prop\": + {\"Expression\": \"object.x__dash__prop > 0\"}\n + \ - Expression accessing a property named \"redact__d\": + {\"Expression\": \"object.redact__underscores__d + > 0\"}\n\n\nEquality on arrays with list type + of 'set' or 'map' ignores element order, i.e. + [1, 2] == [2, 1].\nConcatenation on arrays with + x-kubernetes-list-type use the semantics of + the list type:\n - 'set': `X + Y` performs + a union where the array positions of all elements + in `X` are preserved and\n non-intersecting elements in `Y` are appended, retaining their - partial order. - 'map': `X + Y` performs a merge - where the array positions of all keys in `X` - are preserved but the values are overwritten - by values in `Y` when the key sets of `X` and - `Y` intersect. Elements in `Y` with non-intersecting - keys are appended, retaining their partial order. - Required." + partial order.\n - 'map': `X + Y` performs + a merge where the array positions of all keys + in `X` are preserved but the values\n are + overwritten by values in `Y` when the key sets + of `X` and `Y` intersect. Elements in `Y` with\n + \ non-intersecting keys are appended, retaining + their partial order.\nRequired." type: string message: - description: 'Message represents the message displayed - when validation fails. The message is required - if the Expression contains line breaks. The - message must not contain line breaks. If unset, - the message is "failed rule: {Rule}". e.g. "must - be a URL with the host matching spec.host" If - the Expression contains line breaks. Message - is required. The message must not contain line - breaks. If unset, the message is "failed Expression: - {Expression}".' + description: |- + Message represents the message displayed when validation fails. The message is required if the Expression contains + line breaks. The message must not contain line breaks. + If unset, the message is "failed rule: {Rule}". + e.g. "must be a URL with the host matching spec.host" + If the Expression contains line breaks. Message is required. + The message must not contain line breaks. + If unset, the message is "failed Expression: {Expression}". type: string messageExpression: - description: 'messageExpression declares a CEL - expression that evaluates to the validation - failure message that is returned when this rule - fails. Since messageExpression is used as a - failure message, it must evaluate to a string. - If both message and messageExpression are present - on a validation, then messageExpression will - be used if validation fails. If messageExpression - results in a runtime error, the runtime error - is logged, and the validation failure message - is produced as if the messageExpression field - were unset. If messageExpression evaluates to - an empty string, a string with only spaces, - or a string that contains line breaks, then - the validation failure message will also be - produced as if the messageExpression field were - unset, and the fact that messageExpression produced - an empty string/string with only spaces/string - with line breaks will be logged. messageExpression - has access to all the same variables as the - `expression` except for ''authorizer'' and ''authorizer.requestResource''. - Example: "object.x must be less than max ("+string(params.max)+")"' + description: |- + messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. + Since messageExpression is used as a failure message, it must evaluate to a string. + If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. + If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced + as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string + that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and + the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. + messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'. + Example: + "object.x must be less than max ("+string(params.max)+")" type: string reason: - description: 'Reason represents a machine-readable - description of why this validation failed. If - this is the first validation in the list to - fail, this reason, as well as the corresponding - HTTP response code, are used in the HTTP response - to the client. The currently supported reasons - are: "Unauthorized", "Forbidden", "Invalid", - "RequestEntityTooLarge". If not set, StatusReasonInvalid - is used in the response to the client.' + description: |- + Reason represents a machine-readable description of why this validation failed. + If this is the first validation in the list to fail, this reason, as well as the + corresponding HTTP response code, are used in the + HTTP response to the client. + The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge". + If not set, StatusReasonInvalid is used in the response to the client. type: string required: - expression @@ -17946,13 +16727,15 @@ spec: Version. properties: apiVersion: - description: APIVersion is the API group version - the resources belong to. In format of "group/version". + description: |- + APIVersion is the API group version the resources belong to. + In format of "group/version". Required. type: string kind: - description: Kind is the API kind the resources - belong to. Required. + description: |- + Kind is the API kind the resources belong to. + Required. type: string type: object x-kubernetes-map-type: atomic @@ -17960,77 +16743,82 @@ spec: description: ParamRef references a parameter resource. properties: name: - description: "`name` is the name of the resource - being referenced. \n `name` and `selector` are - mutually exclusive properties. If one is set, - the other must be unset." + description: |- + `name` is the name of the resource being referenced. + + + `name` and `selector` are mutually exclusive properties. If one is set, + the other must be unset. type: string namespace: - description: "namespace is the namespace of the - referenced resource. Allows limiting the search - for params to a specific namespace. Applies to - both `name` and `selector` fields. \n A per-namespace - parameter may be used by specifying a namespace-scoped - `paramKind` in the policy and leaving this field - empty. \n - If `paramKind` is cluster-scoped, - this field MUST be unset. Setting this field results - in a configuration error. \n - If `paramKind` - is namespace-scoped, the namespace of the object - being evaluated for admission will be used when - this field is left unset. Take care that if this - is left empty the binding must not match any cluster-scoped - resources, which will result in an error." + description: |- + namespace is the namespace of the referenced resource. Allows limiting + the search for params to a specific namespace. Applies to both `name` and + `selector` fields. + + + A per-namespace parameter may be used by specifying a namespace-scoped + `paramKind` in the policy and leaving this field empty. + + + - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this + field results in a configuration error. + + + - If `paramKind` is namespace-scoped, the namespace of the object being + evaluated for admission will be used when this field is left unset. Take + care that if this is left empty the binding must not match any cluster-scoped + resources, which will result in an error. type: string parameterNotFoundAction: - description: "`parameterNotFoundAction` controls - the behavior of the binding when the resource - exists, and name or selector is valid, but there - are no parameters matched by the binding. If the - value is set to `Allow`, then no matched parameters - will be treated as successful validation by the - binding. If set to `Deny`, then no matched parameters - will be subject to the `failurePolicy` of the - policy. \n Allowed values are `Allow` or `Deny` - Default to `Deny`" + description: |- + `parameterNotFoundAction` controls the behavior of the binding when the resource + exists, and name or selector is valid, but there are no parameters + matched by the binding. If the value is set to `Allow`, then no + matched parameters will be treated as successful validation by the binding. + If set to `Deny`, then no matched parameters will be subject to the + `failurePolicy` of the policy. + + + Allowed values are `Allow` or `Deny` + Default to `Deny` type: string selector: - description: "selector can be used to match multiple - param objects based on their labels. Supply selector: - {} to match all resources of the ParamKind. \n - If multiple params are found, they are all evaluated - with the policy expressions and the results are - ANDed together. \n One of `name` or `selector` - must be set, but `name` and `selector` are mutually - exclusive properties. If one is set, the other - must be unset." + description: |- + selector can be used to match multiple param objects based on their labels. + Supply selector: {} to match all resources of the ParamKind. + + + If multiple params are found, they are all evaluated with the policy expressions + and the results are ANDed together. + + + One of `name` or `selector` must be set, but `name` and `selector` are + mutually exclusive properties. If one is set, the other must be unset. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -18043,40 +16831,34 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object x-kubernetes-map-type: atomic variables: - description: Variables contain definitions of variables - that can be used in composition of other expressions. + description: |- + Variables contain definitions of variables that can be used in composition of other expressions. Each variable is defined as a named CEL expression. - The variables defined here will be available under - `variables` in other expressions of the policy. + The variables defined here will be available under `variables` in other expressions of the policy. items: description: Variable is the definition of a variable that is used for composition. properties: expression: - description: Expression is the expression that - will be evaluated as the value of the variable. - The CEL expression has access to the same identifiers - as the CEL expressions in Validation. + description: |- + Expression is the expression that will be evaluated as the value of the variable. + The CEL expression has access to the same identifiers as the CEL expressions in Validation. type: string name: - description: Name is the name of the variable. - The name must be a valid CEL identifier and - unique among all variables. The variable can - be accessed in other expressions through `variables` - For example, if name is "foo", the variable - will be available as `variables.foo` + description: |- + Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables. + The variable can be accessed in other expressions through `variables` + For example, if name is "foo", the variable will be available as `variables.foo` type: string required: - expression @@ -18089,14 +16871,15 @@ spec: a validation rule. properties: conditions: - description: 'Multiple conditions can be declared under - an `any` or `all` statement. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + description: |- + Multiple conditions can be declared under an `any` or `all` statement. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A condition - can reference object data using JMESPath notation. + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. Here, all of the conditions need to pass. items: properties: @@ -18109,13 +16892,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators are: - Equals, NotEquals, In, AnyIn, AllIn, NotIn, - AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -18133,17 +16914,17 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A condition - can reference object data using JMESPath notation. + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. Here, at least one of the conditions need to pass. items: properties: @@ -18156,13 +16937,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators are: - Equals, NotEquals, In, AnyIn, AllIn, NotIn, - AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -18180,9 +16959,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -18199,23 +16978,22 @@ spec: the specified logic. properties: anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must be satisfied - for the validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true context: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data @@ -18237,14 +17015,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -18259,25 +17035,24 @@ spec: JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate the server certificate. type: string url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -18295,8 +17070,8 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. properties: imageRegistryCredentials: @@ -18309,11 +17084,9 @@ spec: insecure access to a registry. type: boolean providers: - description: 'Providers specifies a - list of OCI Registry names, whose - authentication providers are provided. - It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -18327,23 +17100,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list - of secrets that are provided for credentials. + description: |- + Secrets specifies a list of secrets that are provided for credentials. Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -18356,15 +17129,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON @@ -18378,47 +17150,43 @@ spec: or fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct - list of conditions (without `any` or `all` statements) - is also supported for backwards compatibility + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object elementScope: - description: ElementScope specifies whether to use - the current list element as the scope for validation. - Defaults to "true" if not specified. When set to - "false", "request.object" is used as the validation - scope within the foreach block to allow referencing - other elements in the subtree. + description: |- + ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified. + When set to "false", "request.object" is used as the validation scope within the foreach + block to allow referencing other elements in the subtree. type: boolean foreach: description: Foreach declares a nested foreach iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which the - validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string pattern: description: Pattern specifies an overlay-style pattern used to check resources. x-kubernetes-preserve-unknown-fields: true preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, all of the conditions need to - pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -18432,13 +17200,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -18458,20 +17224,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, at least one of the conditions - need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -18485,13 +17249,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -18511,10 +17273,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -18536,31 +17297,25 @@ spec: items: properties: count: - description: Count specifies the required number - of entries that must match. If the count is - null, all entries must match (a logical AND). - If the count is 1, at least one entry must match - (a logical OR). If the count contains a value - N, then N must be less than or equal to the - size of entries, and at least N entries must - match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available attestors. - An attestor can be a static key, attributes - for keyless verification, or a nested attestor - declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for image - verification. Every specified key-value - pair must exist and match in the verified - payload. The payload may contain other - key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set of @@ -18581,19 +17336,14 @@ spec: to verify. type: string ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate Timestamps - (SCTs). If the value is unset, the - default behavior by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate - Timestamp (SCT) log to check for - a certificate timestamp. Default - is false. Set to true if this - was opted out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -18601,33 +17351,25 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the root - CA certificate. Optionally may - contain intermediate CA certificates, - and may contain the leaf TSA certificate - if not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use - for a custom Rekor. If set, this - will be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -18638,8 +17380,8 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: @@ -18650,19 +17392,14 @@ spec: signing. type: object ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate Timestamps - (SCTs). If the value is unset, the - default behavior by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate - Timestamp (SCT) log to check for - a certificate timestamp. Default - is false. Set to true if this - was opted out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -18670,14 +17407,10 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the root - CA certificate. Optionally may - contain intermediate CA certificates, - and may contain the leaf TSA certificate - if not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -18685,22 +17418,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use - for a custom Rekor. If set, this - will be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -18710,10 +17439,9 @@ spec: type: string type: object roots: - description: Roots is an optional set - of PEM encoded trusted root certificates. - If not provided, the system roots - are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -18726,19 +17454,14 @@ spec: public keys. properties: ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate Timestamps - (SCTs). If the value is unset, the - default behavior by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate - Timestamp (SCT) log to check for - a certificate timestamp. Default - is false. Set to true if this - was opted out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -18746,57 +17469,41 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the root - CA certificate. Optionally may - contain intermediate CA certificates, - and may contain the leaf TSA certificate - if not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI to - the public key stored in a Key Management - System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image signatures. - The keys can be directly specified - or can be a variable reference to - a key specified in a ConfigMap (see - https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster by - specifying it in the format "k8s:///". - The named Secret must specify a key - `cosign.pub` containing the public - key used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each - key is processed as a separate staticKey - entry (.attestors[*].entries.keys) - within the set of attestors and the - count is applied across the keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use - for a custom Rekor. If set, this - will be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -18830,12 +17537,9 @@ spec: type: string type: object repository: - description: Repository is an optional alternate - OCI repository to use for signatures and - attestations that match this rule. If - specified Repository will override other - OCI image repository locations for this - Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -18876,9 +17580,9 @@ spec: type: object type: array repository: - description: Repository is an optional alternate OCI - repository to use for resource bundle reference. The - repository can be overridden per Attestor or Attestation. + description: |- + Repository is an optional alternate OCI repository to use for resource bundle reference. + The repository can be overridden per Attestor or Attestation. type: string type: object message: @@ -18890,9 +17594,9 @@ spec: used to check resources. x-kubernetes-preserve-unknown-fields: true podSecurity: - description: PodSecurity applies exemptions for Kubernetes - Pod Security admission by specifying exclusions for Pod - Security Standards controls. + description: |- + PodSecurity applies exemptions for Kubernetes Pod Security admission + by specifying exclusions for Pod Security Standards controls. properties: exclude: description: Exclude specifies the Pod Security Standard @@ -18902,8 +17606,9 @@ spec: Security Standard controls to be excluded. properties: controlName: - description: 'ControlName specifies the name of - the Pod Security Standard control. See: https://kubernetes.io/docs/concepts/security/pod-security-standards/' + description: |- + ControlName specifies the name of the Pod Security Standard control. + See: https://kubernetes.io/docs/concepts/security/pod-security-standards/ enum: - HostProcess - Host Namespaces @@ -18922,13 +17627,11 @@ spec: - Running as Non-root user type: string images: - description: 'Images selects matching containers - and applies the container level PSS. Each image - is the image name consisting of the registry - address, repository, image, and tag. Empty list - matches no containers, PSS checks are applied - at the pod level only. Wildcards (''*'' and - ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' + description: |- + Images selects matching containers and applies the container level PSS. + Each image is the image name consisting of the registry address, repository, image, and tag. + Empty list matches no containers, PSS checks are applied at the pod level only. + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -18937,19 +17640,18 @@ spec: type: object type: array level: - description: Level defines the Pod Security Standard - level to be applied to workloads. Allowed values are - privileged, baseline, and restricted. + description: |- + Level defines the Pod Security Standard level to be applied to workloads. + Allowed values are privileged, baseline, and restricted. enum: - privileged - baseline - restricted type: string version: - description: Version defines the Pod Security Standard - versions that Kubernetes supports. Allowed values - are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, - v1.26, latest. Defaults to latest. + description: |- + Version defines the Pod Security Standard versions that Kubernetes supports. + Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, latest. Defaults to latest. enum: - v1.19 - v1.20 @@ -18967,22 +17669,21 @@ spec: description: VerifyImages is used to verify image signatures and mutate them to add a digest items: - description: ImageVerification validates that images that - match the specified pattern are signed with the supplied - public key. Once the image is verified it is mutated to - include the SHA digest retrieved during the registration. + description: |- + ImageVerification validates that images that match the specified pattern + are signed with the supplied public key. Once the image is verified it is + mutated to include the SHA digest retrieved during the registration. properties: attestations: - description: Attestations are optional checks for signed - in-toto Statements used to verify the image. See https://github.com/in-toto/attestation. - Kyverno fetches signed attestations from the OCI registry - and decodes them into a list of Statement declarations. + description: |- + Attestations are optional checks for signed in-toto Statements used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statement declarations. items: - description: Attestation are checks for signed in-toto - Statements that are used to verify the image. See - https://github.com/in-toto/attestation. Kyverno fetches - signed attestations from the OCI registry and decodes - them into a list of Statements. + description: |- + Attestation are checks for signed in-toto Statements that are used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statements. properties: attestors: description: Attestors specify the required attestors @@ -18990,31 +17691,25 @@ spec: items: properties: count: - description: Count specifies the required - number of entries that must match. If the - count is null, all entries must match (a - logical AND). If the count is 1, at least - one entry must match (a logical OR). If - the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or - a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set @@ -19035,21 +17730,14 @@ spec: used to verify. type: string ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -19057,36 +17745,25 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -19097,9 +17774,9 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless - attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: additionalProperties: @@ -19109,21 +17786,14 @@ spec: for keyless signing. type: object ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -19131,15 +17801,10 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -19147,24 +17812,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -19174,10 +17833,9 @@ spec: type: string type: object roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, - the system roots are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -19190,21 +17848,14 @@ spec: public keys. properties: ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -19212,63 +17863,41 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI - to the public key stored in a - Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable - reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -19304,37 +17933,30 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository - will override other OCI image repository - locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array type: object type: array conditions: - description: Conditions are used to verify attributes - within a Predicate. If no Conditions are specified - the attestation check is satisfied as long there - are predicates that match the predicate type. + description: |- + Conditions are used to verify attributes within a Predicate. If no Conditions are specified + the attestation check is satisfied as long there are predicates that match the predicate type. items: - description: AnyAllConditions consists of conditions - wrapped denoting a logical criteria to be fulfilled. - AnyConditions get fulfilled when at least one - of its sub-conditions passes. AllConditions - get fulfilled only when all of its sub-conditions - pass. + description: |- + AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled. + AnyConditions get fulfilled when at least one of its sub-conditions passes. + AllConditions get fulfilled only when all of its sub-conditions pass. properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -19349,14 +17971,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -19376,20 +17995,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -19404,14 +18021,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -19431,10 +18045,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -19456,29 +18069,25 @@ spec: items: properties: count: - description: Count specifies the required number - of entries that must match. If the count is null, - all entries must match (a logical AND). If the - count is 1, at least one entry must match (a logical - OR). If the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available attestors. - An attestor can be a static key, attributes for - keyless verification, or a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for image - verification. Every specified key-value - pair must exist and match in the verified - payload. The payload may contain other key-value - pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set of Attestor @@ -19499,19 +18108,14 @@ spec: to verify. type: string ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for validation - of Signed Certificate Timestamps (SCTs). - If the value is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate Timestamp - (SCT) log to check for a certificate - timestamp. Default is false. Set - to true if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is used @@ -19519,33 +18123,25 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate chain - file for the RFC3161 timestamp authority. - Must contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use for - a custom Rekor. If set, this will - be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address of @@ -19555,8 +18151,8 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: @@ -19567,19 +18163,14 @@ spec: signing. type: object ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for validation - of Signed Certificate Timestamps (SCTs). - If the value is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate Timestamp - (SCT) log to check for a certificate - timestamp. Default is false. Set - to true if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is used @@ -19587,14 +18178,10 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate chain - file for the RFC3161 timestamp authority. - Must contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -19602,22 +18189,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use for - a custom Rekor. If set, this will - be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address of @@ -19626,10 +18209,9 @@ spec: type: string type: object roots: - description: Roots is an optional set - of PEM encoded trusted root certificates. - If not provided, the system roots are - used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified identity @@ -19642,19 +18224,14 @@ spec: keys. properties: ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for validation - of Signed Certificate Timestamps (SCTs). - If the value is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate Timestamp - (SCT) log to check for a certificate - timestamp. Default is false. Set - to true if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is used @@ -19662,56 +18239,41 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate chain - file for the RFC3161 timestamp authority. - Must contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI to - the public key stored in a Key Management - System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 public - keys used to verify image signatures. - The keys can be directly specified or - can be a variable reference to a key - specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes Secret - elsewhere in the cluster by specifying - it in the format "k8s:///". - The named Secret must specify a key - `cosign.pub` containing the public key - used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each - key is processed as a separate staticKey - entry (.attestors[*].entries.keys) within - the set of attestors and the count is - applied across the keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use for - a custom Rekor. If set, this will - be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address of @@ -19744,24 +18306,20 @@ spec: type: string type: object repository: - description: Repository is an optional alternate - OCI repository to use for signatures and - attestations that match this rule. If specified - Repository will override other OCI image - repository locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array type: object type: array imageReferences: - description: 'ImageReferences is a list of matching image - reference patterns. At least one pattern in the list - must match the image for the rule to apply. Each image - reference consists of a registry address (defaults to - docker.io), repository, image, and tag (defaults to - latest). Wildcards (''*'' and ''?'') are allowed. See: - https://kubernetes.io/docs/concepts/containers/images.' + description: |- + ImageReferences is a list of matching image reference patterns. At least one pattern in the + list must match the image for the rule to apply. Each image reference consists of a registry + address (defaults to docker.io), repository, image, and tag (defaults to latest). + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -19774,9 +18332,9 @@ spec: access to a registry. type: boolean providers: - description: 'Providers specifies a list of OCI Registry - names, whose authentication providers are provided. - It can be of one of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers required. @@ -19789,25 +18347,24 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets that - are provided for credentials. Secrets must live - in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object mutateDigest: default: true - description: MutateDigest enables replacement of image - tags with digests. Defaults to true. + description: |- + MutateDigest enables replacement of image tags with digests. + Defaults to true. type: boolean repository: - description: Repository is an optional alternate OCI repository - to use for image signatures and attestations that match - this rule. If specified Repository will override the - default OCI image repository configured for the installation. - The repository can also be overridden per Attestor or - Attestation. + description: |- + Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule. + If specified Repository will override the default OCI image repository configured for the installation. + The repository can also be overridden per Attestor or Attestation. type: string required: default: true @@ -19816,9 +18373,9 @@ spec: check. type: boolean type: - description: Type specifies the method of signature validation. - The allowed options are Cosign and Notary. By default - Cosign is used if a type is not specified. + description: |- + Type specifies the method of signature validation. The allowed options + are Cosign and Notary. By default Cosign is used if a type is not specified. enum: - Cosign - Notary @@ -19840,23 +18397,23 @@ spec: type: object type: array schemaValidation: - description: SchemaValidation skips validation checks for policies - as well as patched resources. Optional. The default value is set - to "true", it must be set to "false" to disable the validation checks. + description: |- + SchemaValidation skips validation checks for policies as well as patched resources. + Optional. The default value is set to "true", it must be set to "false" to disable the validation checks. type: boolean useServerSideApply: - description: UseServerSideApply controls whether to use server-side - apply for generate rules If is set to "true" create & update for - generate rules will use apply instead of create/update. Defaults - to "false" if not specified. + description: |- + UseServerSideApply controls whether to use server-side apply for generate rules + If is set to "true" create & update for generate rules will use apply instead of create/update. + Defaults to "false" if not specified. type: boolean validationFailureAction: default: Audit - description: ValidationFailureAction defines if a validation policy - rule violation should block the admission review request (enforce), - or allow (audit) the admission review request and report an error - in a policy report. Optional. Allowed values are audit or enforce. - The default value is "Audit". + description: |- + ValidationFailureAction defines if a validation policy rule violation should block + the admission review request (enforce), or allow (audit) the admission review request + and report an error in a policy report. Optional. + Allowed values are audit or enforce. The default value is "Audit". enum: - audit - enforce @@ -19864,9 +18421,9 @@ spec: - Enforce type: string validationFailureActionOverrides: - description: ValidationFailureActionOverrides is a Cluster Policy - attribute that specifies ValidationFailureAction namespace-wise. - It overrides ValidationFailureAction for the specified namespaces. + description: |- + ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction + namespace-wise. It overrides ValidationFailureAction for the specified namespaces. items: properties: action: @@ -19879,34 +18436,34 @@ spec: - Enforce type: string namespaceSelector: - description: A label selector is a label query over a set of - resources. The result of matchLabels and matchExpressions - are ANDed. An empty label selector matches all objects. A - null label selector matches no objects. + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. - If the operator is In or NotIn, the values array - must be non-empty. If the operator is Exists or - DoesNotExist, the values array must be empty. This - array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -19918,11 +18475,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -19933,11 +18489,10 @@ spec: type: object type: array webhookTimeoutSeconds: - description: WebhookTimeoutSeconds specifies the maximum time in seconds - allowed to apply this policy. After the configured time expires, - the admission request may fail, or may simply ignore the policy - results, based on the failure policy. The default timeout is 10s, - the value must be between 1 and 30 seconds. + description: |- + WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. + After the configured time expires, the admission request may fail, or may simply ignore the policy results, + based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds. format: int32 type: integer type: object @@ -19951,51 +18506,49 @@ spec: description: Rules is a list of Rule instances. It contains auto generated rules added for pod controllers items: - description: Rule defines a validation, mutation, or generation - control for matching resources. Each rules contains a match - declaration to select resources, and an optional exclude declaration - to specify which resources to exclude. + description: |- + Rule defines a validation, mutation, or generation control for matching resources. + Each rules contains a match declaration to select resources, and an optional exclude + declaration to specify which resources to exclude. properties: celPreconditions: - description: CELPreconditions are used to determine if a - policy rule should be applied by evaluating a set of CEL - conditions. It can only be used with the validate.cel - subrule + description: |- + CELPreconditions are used to determine if a policy rule should be applied by evaluating a + set of CEL conditions. It can only be used with the validate.cel subrule items: description: MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook. properties: expression: - description: "Expression represents the expression - which will be evaluated by CEL. Must evaluate to - bool. CEL expressions have access to the contents - of the AdmissionRequest and Authorizer, organized - into CEL variables: \n 'object' - The object from - the incoming request. The value is null for DELETE - requests. 'oldObject' - The existing object. The - value is null for CREATE requests. 'request' - Attributes - of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). - 'authorizer' - A CEL Authorizer. May be used to - perform authorization checks for the principal (user - or service account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - 'authorizer.requestResource' - A CEL ResourceCheck - constructed from the 'authorizer' and configured - with the request resource. Documentation on CEL: - https://kubernetes.io/docs/reference/using-api/cel/ - \n Required." + description: |- + Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. + CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: + + + 'object' - The object from the incoming request. The value is null for DELETE requests. + 'oldObject' - The existing object. The value is null for CREATE requests. + 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. + See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the + request resource. + Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ + + + Required. type: string name: - description: "Name is an identifier for this match - condition, used for strategic merging of MatchConditions, - as well as providing an identifier for logging purposes. - A good name should be descriptive of the associated - expression. Name must be a qualified name consisting - of alphanumeric characters, '-', '_' or '.', and - must start and end with an alphanumeric character - (e.g. 'MyName', or 'my.name', or '123-abc', regex - used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') - with an optional DNS subdomain prefix and '/' (e.g. - 'example.com/MyName') \n Required." + description: |- + Name is an identifier for this match condition, used for strategic merging of MatchConditions, + as well as providing an identifier for logging purposes. A good name should be descriptive of + the associated expression. + Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and + must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or + '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an + optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') + + + Required. type: string required: - expression @@ -20006,15 +18559,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data sources - to a rule Context. Either a ConfigMap reference or a - APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the Kubernetes - API server, or other JSON web service. The data - returned is stored in the context with the name - for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data sent @@ -20036,13 +18588,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON Match - Expression that can be used to transform the - JSON response returned from the server. For - example a JMESPath of "items | length(@)" applied - to the API server response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across - all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -20057,23 +18608,24 @@ spec: web service properties: caBundle: - description: CABundle is a PEM encoded CA - bundle which will be used to validate the - server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web service URL. - A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to be used - in the HTTP GET or POST request to the Kubernetes - API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used - by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -20090,8 +18642,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests to an - OCI/Docker V2 registry to fetch image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials provides @@ -20103,10 +18656,9 @@ spec: insecure access to a registry. type: boolean providers: - description: 'Providers specifies a list of - OCI Registry names, whose authentication - providers are provided. It can be of one - of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers @@ -20120,23 +18672,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets - that are provided for credentials. Secrets - must live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON Match - Expression that can be used to transform the - ImageData struct returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference to - a container image in the registry. Example: - ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -20149,14 +18701,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take if the - JMESPath expression evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform the - variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON object @@ -20166,11 +18718,10 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when this policy rule - should not be applied. The exclude criteria can include - resource information (e.g. kind, name, namespace, labels) - and admission review request information like the name - or role. + description: |- + ExcludeResources defines when this policy rule should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. properties: all: description: All allows specifying resources which will @@ -20192,10 +18743,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -20204,60 +18754,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -20270,20 +18809,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -20304,44 +18840,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -20354,12 +18881,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -20374,36 +18899,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -20433,10 +18950,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -20445,60 +18961,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -20511,20 +19016,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -20545,44 +19047,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -20595,12 +19088,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -20615,36 +19106,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -20661,21 +19144,19 @@ spec: type: string type: array resources: - description: ResourceDescription contains information - about the resource being created or modified. Requires - at least one tag to be specified when under MatchResources. - Specifying ResourceDescription directly under match - is being deprecated. Please specify under "any" or - "all" instead. + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" - (matches zero or many characters) and "?" (matches - at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -20683,57 +19164,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated in - favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key and - value but does not match an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -20746,20 +19219,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -20779,42 +19249,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) - and `?` (matches one character). Wildcards allows - writing label selectors like ["storage.k8s.io/*": - "*"]. Note that using ["*" : "*"] matches any - key and value but does not match an empty label - set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -20827,12 +19290,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -20847,32 +19308,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or - a value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the - referenced subject. Defaults to "" for ServiceAccount - subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the - Authorizer should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -20888,11 +19345,10 @@ spec: description: APIVersion specifies resource apiVersion. type: string clone: - description: Clone specifies the source resource used - to populate each generated resource. At most one of - Data or Clone can be specified. If neither are provided, - the generated resource will be created with default - data only. + description: |- + Clone specifies the source resource used to populate each generated resource. + At most one of Data or Clone can be specified. If neither are provided, the generated + resource will be created with default data only. properties: name: description: Name specifies name of the resource. @@ -20916,37 +19372,33 @@ spec: namespace. type: string selector: - description: Selector is a label selector. Label - keys and values in `matchLabels`. wildcard characters - are not supported. + description: |- + Selector is a label selector. Label keys and values in `matchLabels`. + wildcard characters are not supported. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -20959,22 +19411,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object data: - description: Data provides the resource declaration - used to populate each generated resource. At most - one of Data or Clone must be specified. If neither - are provided, the generated resource will be created - with default data only. + description: |- + Data provides the resource declaration used to populate each generated resource. + At most one of Data or Clone must be specified. If neither are provided, the generated + resource will be created with default data only. x-kubernetes-preserve-unknown-fields: true kind: description: Kind specifies resource kind. @@ -20986,11 +19435,10 @@ spec: description: Namespace specifies resource namespace. type: string synchronize: - description: Synchronize controls if generated resources - should be kept in-sync with their source resource. - If Synchronize is set to "true" changes to generated - resources will be overwritten with resource data from - Data or the resource specified in the Clone declaration. + description: |- + Synchronize controls if generated resources should be kept in-sync with their source resource. + If Synchronize is set to "true" changes to generated resources will be overwritten with resource + data from Data or the resource specified in the Clone declaration. Optional. Defaults to "false" if not specified. type: boolean uid: @@ -21002,50 +19450,46 @@ spec: items: properties: jmesPath: - description: 'JMESPath is an optional JMESPath expression - to apply to the image value. This is useful when - the extracted image begins with a prefix like - ''docker://''. The ''trim_prefix'' function may - be used to trim the prefix: trim_prefix(@, ''docker://''). - Note - Image digest mutation may not be used when - applying a JMESPAth to an image.' + description: |- + JMESPath is an optional JMESPath expression to apply to the image value. + This is useful when the extracted image begins with a prefix like 'docker://'. + The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://'). + Note - Image digest mutation may not be used when applying a JMESPAth to an image. type: string key: - description: Key is an optional name of the field - within 'path' that will be used to uniquely identify - an image. Note - this field MUST be unique. + description: |- + Key is an optional name of the field within 'path' that will be used to uniquely identify an image. + Note - this field MUST be unique. type: string name: - description: Name is the entry the image will be - available under 'images.' in the context. - If this field is not defined, image entries will - appear under 'images.custom'. + description: |- + Name is the entry the image will be available under 'images.' in the context. + If this field is not defined, image entries will appear under 'images.custom'. type: string path: - description: Path is the path to the object containing - the image field in a custom resource. It should - be slash-separated. Each slash-separated key must - be a valid YAML key or a wildcard '*'. Wildcard - keys are expanded in case of arrays or objects. + description: |- + Path is the path to the object containing the image field in a custom resource. + It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'. + Wildcard keys are expanded in case of arrays or objects. type: string value: - description: Value is an optional name of the field - within 'path' that points to the image URI. This - is useful when a custom 'key' is also defined. + description: |- + Value is an optional name of the field within 'path' that points to the image URI. + This is useful when a custom 'key' is also defined. type: string required: - path type: object type: array - description: ImageExtractors defines a mapping from kinds - to ImageExtractorConfigs. This config is only valid for - verifyImages rules. + description: |- + ImageExtractors defines a mapping from kinds to ImageExtractorConfigs. + This config is only valid for verifyImages rules. type: object match: - description: MatchResources defines when this policy rule - should be applied. The match criteria can include resource - information (e.g. kind, name, namespace, labels) and admission - review request information like the user name or role. + description: |- + MatchResources defines when this policy rule should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. At least one kind is required. properties: all: @@ -21068,10 +19512,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -21080,60 +19523,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -21146,20 +19578,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -21180,44 +19609,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -21230,12 +19650,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -21250,36 +19668,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -21309,10 +19719,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -21321,60 +19730,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -21387,20 +19785,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -21421,44 +19816,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -21471,12 +19857,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -21491,36 +19875,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -21537,21 +19913,19 @@ spec: type: string type: array resources: - description: ResourceDescription contains information - about the resource being created or modified. Requires - at least one tag to be specified when under MatchResources. - Specifying ResourceDescription directly under match - is being deprecated. Please specify under "any" or - "all" instead. + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" - (matches zero or many characters) and "?" (matches - at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -21559,57 +19933,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated in - favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key and - value but does not match an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -21622,20 +19988,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -21655,42 +20018,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) - and `?` (matches one character). Wildcards allows - writing label selectors like ["storage.k8s.io/*": - "*"]. Note that using ["*" : "*"] matches any - key and value but does not match an empty label - set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -21703,12 +20059,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -21723,32 +20077,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or - a value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the - referenced subject. Defaults to "" for ServiceAccount - subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the - Authorizer should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -21775,16 +20125,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST @@ -21807,15 +20155,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -21830,25 +20175,23 @@ spec: to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web - service URL. A typical form is + description: |- + URL is the JSON web service URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string @@ -21868,9 +20211,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials @@ -21882,11 +20225,9 @@ spec: allows insecure access to a registry. type: boolean providers: - description: 'Providers specifies - a list of OCI Registry names, - whose authentication providers - are provided. It can be of one - of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -21900,25 +20241,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a - list of secrets that are provided - for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -21932,15 +20271,14 @@ spec: defined inline. properties: default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary @@ -21955,43 +20293,41 @@ spec: iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which - the validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string order: - description: Order defines the iteration order - on the list. Can be Ascending to iterate from - first to last element or Descending to iterate - in from last to first element. + description: |- + Order defines the iteration order on the list. + Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element. enum: - Ascending - Descending type: string patchStrategicMerge: - description: PatchStrategicMerge is a strategic - merge patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC - 6902 JSON Patch declarations used to modify - resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -22006,14 +20342,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -22033,20 +20366,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -22061,14 +20392,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -22088,10 +20416,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -22100,14 +20427,15 @@ spec: type: object type: array patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge - patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON - Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string targets: description: Targets defines the target resources to @@ -22123,16 +20451,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST @@ -22155,15 +20481,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -22178,25 +20501,23 @@ spec: to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web - service URL. A typical form is + description: |- + URL is the JSON web service URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string @@ -22216,9 +20537,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials @@ -22230,11 +20551,9 @@ spec: allows insecure access to a registry. type: boolean providers: - description: 'Providers specifies - a list of OCI Registry names, - whose authentication providers - are provided. It can be of one - of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -22248,25 +20567,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a - list of secrets that are provided - for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -22280,15 +20597,14 @@ spec: defined inline. properties: default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary @@ -22308,14 +20624,12 @@ spec: description: Namespace specifies resource namespace. type: string preconditions: - description: 'Preconditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. A direct list - of conditions (without `any` or `all` statements - is supported for backwards compatibility but + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/preconditions/' + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true uid: description: UID specifies the resource uid. @@ -22329,27 +20643,32 @@ spec: maxLength: 63 type: string preconditions: - description: 'Preconditions are used to determine if a policy - rule should be applied by evaluating a set of conditions. - The declaration can contain nested `any` or `all` statements. - A direct list of conditions (without `any` or `all` statements - is supported for backwards compatibility but will be deprecated - in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true skipBackgroundRequests: default: true - description: SkipBackgroundRequests bypasses admission requests - that are sent by the background controller. The default - value is set to "true", it must be set to "false" to apply + description: |- + SkipBackgroundRequests bypasses admission requests that are sent by the background controller. + The default value is set to "true", it must be set to "false" to apply generate and mutateExisting rules to those requests. type: boolean validate: description: Validation is used to validate matching resources. properties: + allowExistingViolations: + default: true + description: AllowExistingViolations allows prexisting + violating resources to continue violating a policy. + type: boolean anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must be satisfied - for the validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true cel: description: CEL allows validation checks using the @@ -22364,41 +20683,45 @@ spec: produce an audit annotation for an API request. properties: key: - description: "key specifies the audit annotation - key. The audit annotation keys of a ValidatingAdmissionPolicy - must be unique. The key must be a qualified - name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more - than 63 bytes in length. \n The key is combined - with the resource name of the ValidatingAdmissionPolicy - to construct an audit annotation key: \"{ValidatingAdmissionPolicy - name}/{key}\". \n If an admission webhook - uses the same resource name as this ValidatingAdmissionPolicy - and the same audit annotation key, the annotation - key will be identical. In this case, the - first annotation written with the key will - be included in the audit event and all subsequent - annotations with the same key will be discarded. - \n Required." + description: |- + key specifies the audit annotation key. The audit annotation keys of + a ValidatingAdmissionPolicy must be unique. The key must be a qualified + name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length. + + + The key is combined with the resource name of the + ValidatingAdmissionPolicy to construct an audit annotation key: + "{ValidatingAdmissionPolicy name}/{key}". + + + If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy + and the same audit annotation key, the annotation key will be identical. + In this case, the first annotation written with the key will be included + in the audit event and all subsequent annotations with the same key + will be discarded. + + + Required. type: string valueExpression: - description: "valueExpression represents the - expression which is evaluated by CEL to - produce an audit annotation value. The expression - must evaluate to either a string or null - value. If the expression evaluates to a - string, the audit annotation is included - with the string value. If the expression - evaluates to null or empty string the audit - annotation will be omitted. The valueExpression - may be no longer than 5kb in length. If - the result of the valueExpression is more - than 10kb in length, it will be truncated - to 10kb. \n If multiple ValidatingAdmissionPolicyBinding - resources match an API request, then the - valueExpression will be evaluated for each - binding. All unique values produced by the - valueExpressions will be joined together - in a comma-separated list. \n Required." + description: |- + valueExpression represents the expression which is evaluated by CEL to + produce an audit annotation value. The expression must evaluate to either + a string or null value. If the expression evaluates to a string, the + audit annotation is included with the string value. If the expression + evaluates to null or empty string the audit annotation will be omitted. + The valueExpression may be no longer than 5kb in length. + If the result of the valueExpression is more than 10kb in length, it + will be truncated to 10kb. + + + If multiple ValidatingAdmissionPolicyBinding resources match an + API request, then the valueExpression will be evaluated for + each binding. All unique values produced by the valueExpressions + will be joined together in a comma-separated list. + + + Required. type: string required: - key @@ -22414,124 +20737,104 @@ spec: properties: expression: description: "Expression represents the expression - which will be evaluated by CEL. ref: https://github.com/google/cel-spec - CEL expressions have access to the contents + which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL + expressions have access to the contents of the API request/response, organized into CEL variables as well as some other useful - variables: \n - 'object' - The object from - the incoming request. The value is null - for DELETE requests. - 'oldObject' - The - existing object. The value is null for CREATE - requests. - 'request' - Attributes of the - API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - - 'params' - Parameter resource referred - to by the policy binding being evaluated. - Only populated if the policy has a ParamKind. - - 'namespaceObject' - The namespace object + variables:\n\n\n- 'object' - The object + from the incoming request. The value is + null for DELETE requests.\n- 'oldObject' + - The existing object. The value is null + for CREATE requests.\n- 'request' - Attributes + of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- + 'params' - Parameter resource referred to + by the policy binding being evaluated. Only + populated if the policy has a ParamKind.\n- + 'namespaceObject' - The namespace object that the incoming object belongs to. The - value is null for cluster-scoped resources. - - 'variables' - Map of composited variables, - from its name to its lazily evaluated value. - For example, a variable named 'foo' can - be accessed as 'variables.foo'. - 'authorizer' + value is null for cluster-scoped resources.\n- + 'variables' - Map of composited variables, + from its name to its lazily evaluated value.\n + \ For example, a variable named 'foo' can + be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user - or service account) of the request. See - https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - - 'authorizer.requestResource' - A CEL ResourceCheck + or service account) of the request.\n See + https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured - with the request resource. \n The `apiVersion`, + with the\n request resource.\n\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` - are always accessible from the root of the - object. No other metadata properties are - accessible. \n Only property names of the - form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are - accessible. Accessible property names are - escaped according to the following rules - when accessed in the expression: - '__' - escapes to '__underscores__' - '.' escapes - to '__dot__' - '-' escapes to '__dash__' - - '/' escapes to '__slash__' - Property - names that exactly match a CEL RESERVED - keyword escape to '__{keyword}__'. The keywords - are: \"true\", \"false\", \"null\", \"in\", - \"as\", \"break\", \"const\", \"continue\", - \"else\", \"for\", \"function\", \"if\", - \"import\", \"let\", \"loop\", \"package\", - \"namespace\", \"return\". Examples: - Expression - accessing a property named \"namespace\": - {\"Expression\": \"object.__namespace__ - > 0\"} - Expression accessing a property + are always accessible from the root of the\nobject. + No other metadata properties are accessible.\n\n\nOnly + property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` + are accessible.\nAccessible property names + are escaped according to the following rules + when accessed in the expression:\n- '__' + escapes to '__underscores__'\n- '.' escapes + to '__dot__'\n- '-' escapes to '__dash__'\n- + '/' escapes to '__slash__'\n- Property names + that exactly match a CEL RESERVED keyword + escape to '__{keyword}__'. The keywords + are:\n\t \"true\", \"false\", \"null\", + \"in\", \"as\", \"break\", \"const\", \"continue\", + \"else\", \"for\", \"function\", \"if\",\n\t + \ \"import\", \"let\", \"loop\", \"package\", + \"namespace\", \"return\".\nExamples:\n + \ - Expression accessing a property named + \"namespace\": {\"Expression\": \"object.__namespace__ + > 0\"}\n - Expression accessing a property named \"x-prop\": {\"Expression\": \"object.x__dash__prop - > 0\"} - Expression accessing a property + > 0\"}\n - Expression accessing a property named \"redact__d\": {\"Expression\": \"object.redact__underscores__d - > 0\"} \n Equality on arrays with list type - of 'set' or 'map' ignores element order, - i.e. [1, 2] == [2, 1]. Concatenation on + > 0\"}\n\n\nEquality on arrays with list + type of 'set' or 'map' ignores element order, + i.e. [1, 2] == [2, 1].\nConcatenation on arrays with x-kubernetes-list-type use the - semantics of the list type: - 'set': `X - + Y` performs a union where the array positions - of all elements in `X` are preserved and - non-intersecting elements in `Y` are appended, - retaining their partial order. - 'map': - `X + Y` performs a merge where the array - positions of all keys in `X` are preserved - but the values are overwritten by values - in `Y` when the key sets of `X` and `Y` - intersect. Elements in `Y` with non-intersecting - keys are appended, retaining their partial - order. Required." + semantics of the list type:\n - 'set': + `X + Y` performs a union where the array + positions of all elements in `X` are preserved + and\n non-intersecting elements in `Y` + are appended, retaining their partial order.\n + \ - 'map': `X + Y` performs a merge where + the array positions of all keys in `X` are + preserved but the values\n are overwritten + by values in `Y` when the key sets of `X` + and `Y` intersect. Elements in `Y` with\n + \ non-intersecting keys are appended, + retaining their partial order.\nRequired." type: string message: - description: 'Message represents the message - displayed when validation fails. The message - is required if the Expression contains line - breaks. The message must not contain line - breaks. If unset, the message is "failed - rule: {Rule}". e.g. "must be a URL with - the host matching spec.host" If the Expression - contains line breaks. Message is required. + description: |- + Message represents the message displayed when validation fails. The message is required if the Expression contains + line breaks. The message must not contain line breaks. + If unset, the message is "failed rule: {Rule}". + e.g. "must be a URL with the host matching spec.host" + If the Expression contains line breaks. Message is required. The message must not contain line breaks. - If unset, the message is "failed Expression: - {Expression}".' + If unset, the message is "failed Expression: {Expression}". type: string messageExpression: - description: 'messageExpression declares a - CEL expression that evaluates to the validation - failure message that is returned when this - rule fails. Since messageExpression is used - as a failure message, it must evaluate to - a string. If both message and messageExpression - are present on a validation, then messageExpression - will be used if validation fails. If messageExpression - results in a runtime error, the runtime - error is logged, and the validation failure - message is produced as if the messageExpression - field were unset. If messageExpression evaluates - to an empty string, a string with only spaces, - or a string that contains line breaks, then - the validation failure message will also - be produced as if the messageExpression - field were unset, and the fact that messageExpression - produced an empty string/string with only - spaces/string with line breaks will be logged. - messageExpression has access to all the - same variables as the `expression` except - for ''authorizer'' and ''authorizer.requestResource''. - Example: "object.x must be less than max - ("+string(params.max)+")"' + description: |- + messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. + Since messageExpression is used as a failure message, it must evaluate to a string. + If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. + If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced + as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string + that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and + the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. + messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'. + Example: + "object.x must be less than max ("+string(params.max)+")" type: string reason: - description: 'Reason represents a machine-readable - description of why this validation failed. - If this is the first validation in the list - to fail, this reason, as well as the corresponding - HTTP response code, are used in the HTTP - response to the client. The currently supported - reasons are: "Unauthorized", "Forbidden", - "Invalid", "RequestEntityTooLarge". If not - set, StatusReasonInvalid is used in the - response to the client.' + description: |- + Reason represents a machine-readable description of why this validation failed. + If this is the first validation in the list to fail, this reason, as well as the + corresponding HTTP response code, are used in the + HTTP response to the client. + The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge". + If not set, StatusReasonInvalid is used in the response to the client. type: string required: - expression @@ -22542,13 +20845,15 @@ spec: and Version. properties: apiVersion: - description: APIVersion is the API group version - the resources belong to. In format of "group/version". + description: |- + APIVersion is the API group version the resources belong to. + In format of "group/version". Required. type: string kind: - description: Kind is the API kind the resources - belong to. Required. + description: |- + Kind is the API kind the resources belong to. + Required. type: string type: object x-kubernetes-map-type: atomic @@ -22556,82 +20861,83 @@ spec: description: ParamRef references a parameter resource. properties: name: - description: "`name` is the name of the resource - being referenced. \n `name` and `selector` - are mutually exclusive properties. If one - is set, the other must be unset." + description: |- + `name` is the name of the resource being referenced. + + + `name` and `selector` are mutually exclusive properties. If one is set, + the other must be unset. type: string namespace: - description: "namespace is the namespace of - the referenced resource. Allows limiting the - search for params to a specific namespace. - Applies to both `name` and `selector` fields. - \n A per-namespace parameter may be used by - specifying a namespace-scoped `paramKind` - in the policy and leaving this field empty. - \n - If `paramKind` is cluster-scoped, this - field MUST be unset. Setting this field results - in a configuration error. \n - If `paramKind` - is namespace-scoped, the namespace of the - object being evaluated for admission will - be used when this field is left unset. Take - care that if this is left empty the binding - must not match any cluster-scoped resources, - which will result in an error." + description: |- + namespace is the namespace of the referenced resource. Allows limiting + the search for params to a specific namespace. Applies to both `name` and + `selector` fields. + + + A per-namespace parameter may be used by specifying a namespace-scoped + `paramKind` in the policy and leaving this field empty. + + + - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this + field results in a configuration error. + + + - If `paramKind` is namespace-scoped, the namespace of the object being + evaluated for admission will be used when this field is left unset. Take + care that if this is left empty the binding must not match any cluster-scoped + resources, which will result in an error. type: string parameterNotFoundAction: - description: "`parameterNotFoundAction` controls - the behavior of the binding when the resource - exists, and name or selector is valid, but - there are no parameters matched by the binding. - If the value is set to `Allow`, then no matched - parameters will be treated as successful validation - by the binding. If set to `Deny`, then no - matched parameters will be subject to the - `failurePolicy` of the policy. \n Allowed - values are `Allow` or `Deny` Default to `Deny`" + description: |- + `parameterNotFoundAction` controls the behavior of the binding when the resource + exists, and name or selector is valid, but there are no parameters + matched by the binding. If the value is set to `Allow`, then no + matched parameters will be treated as successful validation by the binding. + If set to `Deny`, then no matched parameters will be subject to the + `failurePolicy` of the policy. + + + Allowed values are `Allow` or `Deny` + Default to `Deny` type: string selector: - description: "selector can be used to match - multiple param objects based on their labels. - Supply selector: {} to match all resources - of the ParamKind. \n If multiple params are - found, they are all evaluated with the policy - expressions and the results are ANDed together. - \n One of `name` or `selector` must be set, - but `name` and `selector` are mutually exclusive - properties. If one is set, the other must - be unset." + description: |- + selector can be used to match multiple param objects based on their labels. + Supply selector: {} to match all resources of the ParamKind. + + + If multiple params are found, they are all evaluated with the policy expressions + and the results are ANDed together. + + + One of `name` or `selector` must be set, but `name` and `selector` are + mutually exclusive properties. If one is set, the other must be unset. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -22643,41 +20949,34 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object x-kubernetes-map-type: atomic variables: - description: Variables contain definitions of variables - that can be used in composition of other expressions. + description: |- + Variables contain definitions of variables that can be used in composition of other expressions. Each variable is defined as a named CEL expression. - The variables defined here will be available under - `variables` in other expressions of the policy. + The variables defined here will be available under `variables` in other expressions of the policy. items: description: Variable is the definition of a variable that is used for composition. properties: expression: - description: Expression is the expression - that will be evaluated as the value of the - variable. The CEL expression has access - to the same identifiers as the CEL expressions - in Validation. + description: |- + Expression is the expression that will be evaluated as the value of the variable. + The CEL expression has access to the same identifiers as the CEL expressions in Validation. type: string name: - description: Name is the name of the variable. - The name must be a valid CEL identifier - and unique among all variables. The variable - can be accessed in other expressions through - `variables` For example, if name is "foo", - the variable will be available as `variables.foo` + description: |- + Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables. + The variable can be accessed in other expressions through `variables` + For example, if name is "foo", the variable will be available as `variables.foo` type: string required: - expression @@ -22690,12 +20989,11 @@ spec: fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct list - of conditions (without `any` or `all` statements) - is also supported for backwards compatibility + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object foreach: @@ -22710,24 +21008,22 @@ spec: apply the specified logic. properties: anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must - be satisfied for the validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true context: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST @@ -22750,15 +21046,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -22773,25 +21066,23 @@ spec: to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web - service URL. A typical form is + description: |- + URL is the JSON web service URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string @@ -22811,9 +21102,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials @@ -22825,11 +21116,9 @@ spec: allows insecure access to a registry. type: boolean providers: - description: 'Providers specifies - a list of OCI Registry names, - whose authentication providers - are provided. It can be of one - of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -22843,25 +21132,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a - list of secrets that are provided - for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -22875,15 +21162,14 @@ spec: defined inline. properties: default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary @@ -22898,48 +21184,44 @@ spec: or fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct - list of conditions (without `any` or `all` - statements) is also supported for backwards - compatibility but will be deprecated in - the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object elementScope: - description: ElementScope specifies whether to - use the current list element as the scope for - validation. Defaults to "true" if not specified. - When set to "false", "request.object" is used - as the validation scope within the foreach block - to allow referencing other elements in the subtree. + description: |- + ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified. + When set to "false", "request.object" is used as the validation scope within the foreach + block to allow referencing other elements in the subtree. type: boolean foreach: description: Foreach declares a nested foreach iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which - the validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string pattern: description: Pattern specifies an overlay-style pattern used to check resources. x-kubernetes-preserve-unknown-fields: true preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -22954,14 +21236,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -22981,20 +21260,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -23009,14 +21286,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -23036,10 +21310,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -23062,31 +21335,25 @@ spec: items: properties: count: - description: Count specifies the required - number of entries that must match. If the - count is null, all entries must match (a - logical AND). If the count is 1, at least - one entry must match (a logical OR). If - the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or - a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set @@ -23107,21 +21374,14 @@ spec: used to verify. type: string ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -23129,36 +21389,25 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -23169,9 +21418,9 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless - attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: additionalProperties: @@ -23181,21 +21430,14 @@ spec: for keyless signing. type: object ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -23203,15 +21445,10 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -23219,24 +21456,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -23246,10 +21477,9 @@ spec: type: string type: object roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, - the system roots are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -23262,21 +21492,14 @@ spec: public keys. properties: ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -23284,63 +21507,41 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI - to the public key stored in a - Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable - reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -23376,12 +21577,9 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository - will override other OCI image repository - locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -23422,10 +21620,9 @@ spec: type: object type: array repository: - description: Repository is an optional alternate - OCI repository to use for resource bundle reference. - The repository can be overridden per Attestor - or Attestation. + description: |- + Repository is an optional alternate OCI repository to use for resource bundle reference. + The repository can be overridden per Attestor or Attestation. type: string type: object message: @@ -23437,9 +21634,9 @@ spec: used to check resources. x-kubernetes-preserve-unknown-fields: true podSecurity: - description: PodSecurity applies exemptions for Kubernetes - Pod Security admission by specifying exclusions for - Pod Security Standards controls. + description: |- + PodSecurity applies exemptions for Kubernetes Pod Security admission + by specifying exclusions for Pod Security Standards controls. properties: exclude: description: Exclude specifies the Pod Security @@ -23449,9 +21646,9 @@ spec: Pod Security Standard controls to be excluded. properties: controlName: - description: 'ControlName specifies the name - of the Pod Security Standard control. See: - https://kubernetes.io/docs/concepts/security/pod-security-standards/' + description: |- + ControlName specifies the name of the Pod Security Standard control. + See: https://kubernetes.io/docs/concepts/security/pod-security-standards/ enum: - HostProcess - Host Namespaces @@ -23470,14 +21667,11 @@ spec: - Running as Non-root user type: string images: - description: 'Images selects matching containers - and applies the container level PSS. Each - image is the image name consisting of the - registry address, repository, image, and - tag. Empty list matches no containers, PSS - checks are applied at the pod level only. - Wildcards (''*'' and ''?'') are allowed. - See: https://kubernetes.io/docs/concepts/containers/images.' + description: |- + Images selects matching containers and applies the container level PSS. + Each image is the image name consisting of the registry address, repository, image, and tag. + Empty list matches no containers, PSS checks are applied at the pod level only. + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -23486,19 +21680,18 @@ spec: type: object type: array level: - description: Level defines the Pod Security Standard - level to be applied to workloads. Allowed values - are privileged, baseline, and restricted. + description: |- + Level defines the Pod Security Standard level to be applied to workloads. + Allowed values are privileged, baseline, and restricted. enum: - privileged - baseline - restricted type: string version: - description: Version defines the Pod Security Standard - versions that Kubernetes supports. Allowed values - are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, - v1.25, v1.26, latest. Defaults to latest. + description: |- + Version defines the Pod Security Standard versions that Kubernetes supports. + Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, latest. Defaults to latest. enum: - v1.19 - v1.20 @@ -23516,10 +21709,10 @@ spec: description: VerifyImages is used to verify image signatures and mutate them to add a digest items: - description: ImageVerification validates that images that - match the specified pattern are signed with the supplied - public key. Once the image is verified it is mutated - to include the SHA digest retrieved during the registration. + description: |- + ImageVerification validates that images that match the specified pattern + are signed with the supplied public key. Once the image is verified it is + mutated to include the SHA digest retrieved during the registration. properties: additionalExtensions: additionalProperties: @@ -23533,17 +21726,15 @@ spec: instead. type: object attestations: - description: Attestations are optional checks for - signed in-toto Statements used to verify the image. - See https://github.com/in-toto/attestation. Kyverno - fetches signed attestations from the OCI registry - and decodes them into a list of Statement declarations. + description: |- + Attestations are optional checks for signed in-toto Statements used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statement declarations. items: - description: Attestation are checks for signed in-toto - Statements that are used to verify the image. - See https://github.com/in-toto/attestation. Kyverno - fetches signed attestations from the OCI registry - and decodes them into a list of Statements. + description: |- + Attestation are checks for signed in-toto Statements that are used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statements. properties: attestors: description: Attestors specify the required @@ -23551,33 +21742,25 @@ spec: items: properties: count: - description: Count specifies the required - number of entries that must match. If - the count is null, all entries must - match (a logical AND). If the count - is 1, at least one entry must match - (a logical OR). If the count contains - a value N, then N must be less than - or equal to the size of entries, and - at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static - key, attributes for keyless verification, - or a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used - for image verification. Every - specified key-value pair must - exist and match in the verified - payload. The payload may contain - other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested @@ -23598,23 +21781,14 @@ spec: certificates used to verify. type: string ctlog: - description: CTLog (certificate - timestamp log) provides a - configuration for validation - of Signed Certificate Timestamps - (SCTs). If the value is unset, - the default behavior by Cosign - is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp - (SCT) log to check for - a certificate timestamp. - Default is false. Set - to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if @@ -23623,27 +21797,16 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, - if set, is the PEM-encoded - certificate chain file - for the RFC3161 timestamp - authority. Must contain - the root CA certificate. - Optionally may contain - intermediate CA certificates, - and may contain the leaf - TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If an empty object is provided - the public instance of Rekor - (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog @@ -23651,13 +21814,9 @@ spec: verification. type: boolean pubkey: - description: RekorPubKey - is an optional PEM-encoded - public key to use for - a custom Rekor. If set, - this will be used to validate - transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the @@ -23668,9 +21827,9 @@ spec: type: object type: object keyless: - description: Keyless is a set of - attribute used to verify a Sigstore - keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: additionalProperties: @@ -23680,23 +21839,14 @@ spec: used for keyless signing. type: object ctlog: - description: CTLog (certificate - timestamp log) provides a - configuration for validation - of Signed Certificate Timestamps - (SCTs). If the value is unset, - the default behavior by Cosign - is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp - (SCT) log to check for - a certificate timestamp. - Default is false. Set - to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if @@ -23705,17 +21855,10 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, - if set, is the PEM-encoded - certificate chain file - for the RFC3161 timestamp - authority. Must contain - the root CA certificate. - Optionally may contain - intermediate CA certificates, - and may contain the leaf - TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -23723,13 +21866,9 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If an empty object is provided - the public instance of Rekor - (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog @@ -23737,13 +21876,9 @@ spec: verification. type: boolean pubkey: - description: RekorPubKey - is an optional PEM-encoded - public key to use for - a custom Rekor. If set, - this will be used to validate - transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the @@ -23753,11 +21888,9 @@ spec: type: string type: object roots: - description: Roots is an optional - set of PEM encoded trusted - root certificates. If not - provided, the system roots - are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the @@ -23771,23 +21904,14 @@ spec: or more public keys. properties: ctlog: - description: CTLog (certificate - timestamp log) provides a - configuration for validation - of Signed Certificate Timestamps - (SCTs). If the value is unset, - the default behavior by Cosign - is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp - (SCT) log to check for - a certificate timestamp. - Default is false. Set - to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if @@ -23796,56 +21920,32 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, - if set, is the PEM-encoded - certificate chain file - for the RFC3161 timestamp - authority. Must contain - the root CA certificate. - Optionally may contain - intermediate CA certificates, - and may contain the leaf - TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the - URI to the public key stored - in a Key Management System. - See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of - X.509 public keys used to - verify image signatures. The - keys can be directly specified - or can be a variable reference - to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a - separate staticKey entry (.attestors[*].entries.keys) - within the set of attestors - and the count is applied across - the keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If an empty object is provided - the public instance of Rekor - (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog @@ -23853,13 +21953,9 @@ spec: verification. type: boolean pubkey: - description: RekorPubKey - is an optional PEM-encoded - public key to use for - a custom Rekor. If set, - this will be used to validate - transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the @@ -23896,40 +21992,30 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use - for signatures and attestations - that match this rule. If specified - Repository will override other - OCI image repository locations - for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array type: object type: array conditions: - description: Conditions are used to verify attributes - within a Predicate. If no Conditions are specified - the attestation check is satisfied as long - there are predicates that match the predicate - type. + description: |- + Conditions are used to verify attributes within a Predicate. If no Conditions are specified + the attestation check is satisfied as long there are predicates that match the predicate type. items: - description: AnyAllConditions consists of - conditions wrapped denoting a logical criteria - to be fulfilled. AnyConditions get fulfilled - when at least one of its sub-conditions - passes. AllConditions get fulfilled only - when all of its sub-conditions pass. + description: |- + AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled. + AnyConditions get fulfilled when at least one of its sub-conditions passes. + AllConditions get fulfilled only when all of its sub-conditions pass. properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is - useful for finer control of when an - rule is applied. A condition can reference - object data using JMESPath notation. - Here, all of the conditions need to - pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -23944,14 +22030,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -23971,21 +22054,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is - useful for finer control of when an - rule is applied. A condition can reference - object data using JMESPath notation. - Here, at least one of the conditions - need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -24000,14 +22080,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -24027,10 +22104,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -24052,31 +22128,25 @@ spec: items: properties: count: - description: Count specifies the required number - of entries that must match. If the count is - null, all entries must match (a logical AND). - If the count is 1, at least one entry must - match (a logical OR). If the count contains - a value N, then N must be less than or equal - to the size of entries, and at least N entries - must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or a - nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set @@ -24097,21 +22167,14 @@ spec: used to verify. type: string ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior by - Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed Certificate - Timestamp (SCT) log to check - for a certificate timestamp. - Default is false. Set to true - if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -24119,35 +22182,25 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the - root CA certificate. Optionally - may contain intermediate CA - certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an - optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used to - validate transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -24158,8 +22211,8 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: @@ -24170,21 +22223,14 @@ spec: for keyless signing. type: object ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior by - Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed Certificate - Timestamp (SCT) log to check - for a certificate timestamp. - Default is false. Set to true - if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -24192,15 +22238,10 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the - root CA certificate. Optionally - may contain intermediate CA - certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -24208,23 +22249,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an - optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used to - validate transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -24234,10 +22270,9 @@ spec: type: string type: object roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, the - system roots are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -24250,21 +22285,14 @@ spec: public keys. properties: ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior by - Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed Certificate - Timestamp (SCT) log to check - for a certificate timestamp. - Default is false. Set to true - if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -24272,61 +22300,41 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the - root CA certificate. Optionally - may contain intermediate CA - certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI - to the public key stored in a Key - Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable reference - to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format "k8s:///". - The named Secret must specify a - key `cosign.pub` containing the - public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an - optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used to - validate transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -24361,12 +22369,9 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository will - override other OCI image repository - locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -24376,13 +22381,11 @@ spec: description: Deprecated. Use ImageReferences instead. type: string imageReferences: - description: 'ImageReferences is a list of matching - image reference patterns. At least one pattern in - the list must match the image for the rule to apply. - Each image reference consists of a registry address - (defaults to docker.io), repository, image, and - tag (defaults to latest). Wildcards (''*'' and ''?'') - are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' + description: |- + ImageReferences is a list of matching image reference patterns. At least one pattern in the + list must match the image for the rule to apply. Each image reference consists of a registry + address (defaults to docker.io), repository, image, and tag (defaults to latest). + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -24395,10 +22398,9 @@ spec: access to a registry. type: boolean providers: - description: 'Providers specifies a list of OCI - Registry names, whose authentication providers - are provided. It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers @@ -24412,9 +22414,9 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets - that are provided for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array @@ -24427,16 +22429,15 @@ spec: type: string mutateDigest: default: true - description: MutateDigest enables replacement of image - tags with digests. Defaults to true. + description: |- + MutateDigest enables replacement of image tags with digests. + Defaults to true. type: boolean repository: - description: Repository is an optional alternate OCI - repository to use for image signatures and attestations - that match this rule. If specified Repository will - override the default OCI image repository configured - for the installation. The repository can also be - overridden per Attestor or Attestation. + description: |- + Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule. + If specified Repository will override the default OCI image repository configured for the installation. + The repository can also be overridden per Attestor or Attestation. type: string required: default: true @@ -24451,9 +22452,9 @@ spec: description: Deprecated. Use KeylessAttestor instead. type: string type: - description: Type specifies the method of signature - validation. The allowed options are Cosign and Notary. - By default Cosign is used if a type is not specified. + description: |- + Type specifies the method of signature validation. The allowed options + are Cosign and Notary. By default Cosign is used if a type is not specified. enum: - Cosign - Notary @@ -24478,42 +22479,42 @@ spec: conditions: items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -24527,11 +22528,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -24547,8 +22549,9 @@ spec: description: Deprecated in favor of Conditions type: boolean rulecount: - description: RuleCountStatus contains four variables which describes - counts for validate, generate, mutate and verify images rules + description: |- + RuleCountStatus contains four variables which describes counts for + validate, generate, mutate and verify images rules properties: generate: description: Count for generate rules in policy @@ -24576,10 +22579,9 @@ spec: policy is generated from the policy or not type: boolean message: - description: Message is a human readable message indicating details - about the generation of validating admission policy It is an - empty string when validating admission policy is successfully - generated. + description: |- + Message is a human readable message indicating details about the generation of validating admission policy + It is an empty string when validating admission policy is successfully generated. type: string required: - generated @@ -24607,7 +22609,7 @@ metadata: app.kubernetes.io/version: 3.1.4 helm.sh/chart: crds-3.1.4 annotations: - controller-gen.kubebuilder.io/version: v0.12.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: policies.kyverno.io spec: group: kyverno.io @@ -24664,19 +22666,24 @@ spec: name: v1 schema: openAPIV3Schema: - description: 'Policy declares validation, mutation, and generation behaviors - for matching resources. See: https://kyverno.io/docs/writing-policies/ for - more information.' + description: |- + Policy declares validation, mutation, and generation behaviors for matching resources. + See: https://kyverno.io/docs/writing-policies/ for more information. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -24685,95 +22692,99 @@ spec: properties: admission: default: true - description: Admission controls if rules are applied during admission. + description: |- + Admission controls if rules are applied during admission. Optional. Default value is "true". type: boolean applyRules: - description: ApplyRules controls how rules in a policy are applied. - Rule are processed in the order of declaration. When set to `One` - processing stops after a rule has been applied i.e. the rule matches - and results in a pass, fail, or error. When set to `All` all rules - in the policy are processed. The default is `All`. + description: |- + ApplyRules controls how rules in a policy are applied. Rule are processed in + the order of declaration. When set to `One` processing stops after a rule has + been applied i.e. the rule matches and results in a pass, fail, or error. When + set to `All` all rules in the policy are processed. The default is `All`. enum: - All - One type: string background: default: true - description: Background controls if rules are applied to existing - resources during a background scan. Optional. Default value is "true". - The value must be set to "false" if the policy rule uses variables - that are only available in the admission review request (e.g. user - name). + description: |- + Background controls if rules are applied to existing resources during a background scan. + Optional. Default value is "true". The value must be set to "false" if the policy rule + uses variables that are only available in the admission review request (e.g. user name). type: boolean failurePolicy: - description: FailurePolicy defines how unexpected policy errors and - webhook response timeout errors are handled. Rules within the same - policy share the same failure behavior. This field should not be - accessed directly, instead `GetFailurePolicy()` should be used. + description: |- + FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. + Rules within the same policy share the same failure behavior. + This field should not be accessed directly, instead `GetFailurePolicy()` should be used. Allowed values are Ignore or Fail. Defaults to Fail. enum: - Ignore - Fail type: string generateExisting: - description: GenerateExisting controls whether to trigger generate - rule in existing resources If is set to "true" generate rule will - be triggered and applied to existing matched resources. Defaults - to "false" if not specified. + description: |- + GenerateExisting controls whether to trigger generate rule in existing resources + If is set to "true" generate rule will be triggered and applied to existing matched resources. + Defaults to "false" if not specified. type: boolean generateExistingOnPolicyUpdate: description: Deprecated, use generateExisting instead type: boolean mutateExistingOnPolicyUpdate: - description: MutateExistingOnPolicyUpdate controls if a mutateExisting - policy is applied on policy events. Default value is "false". + description: |- + MutateExistingOnPolicyUpdate controls if a mutateExisting policy is applied on policy events. + Default value is "false". type: boolean rules: - description: Rules is a list of Rule instances. A Policy contains - multiple rules and each rule can validate, mutate, or generate resources. + description: |- + Rules is a list of Rule instances. A Policy contains multiple rules and + each rule can validate, mutate, or generate resources. items: - description: Rule defines a validation, mutation, or generation - control for matching resources. Each rules contains a match declaration - to select resources, and an optional exclude declaration to specify - which resources to exclude. + description: |- + Rule defines a validation, mutation, or generation control for matching resources. + Each rules contains a match declaration to select resources, and an optional exclude + declaration to specify which resources to exclude. properties: celPreconditions: - description: CELPreconditions are used to determine if a policy - rule should be applied by evaluating a set of CEL conditions. - It can only be used with the validate.cel subrule + description: |- + CELPreconditions are used to determine if a policy rule should be applied by evaluating a + set of CEL conditions. It can only be used with the validate.cel subrule items: description: MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook. properties: expression: - description: "Expression represents the expression which - will be evaluated by CEL. Must evaluate to bool. CEL - expressions have access to the contents of the AdmissionRequest - and Authorizer, organized into CEL variables: \n 'object' - - The object from the incoming request. The value is - null for DELETE requests. 'oldObject' - The existing - object. The value is null for CREATE requests. 'request' - - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). - 'authorizer' - A CEL Authorizer. May be used to perform - authorization checks for the principal (user or service - account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - 'authorizer.requestResource' - A CEL ResourceCheck constructed - from the 'authorizer' and configured with the request - resource. Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ - \n Required." + description: |- + Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. + CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: + + + 'object' - The object from the incoming request. The value is null for DELETE requests. + 'oldObject' - The existing object. The value is null for CREATE requests. + 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. + See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the + request resource. + Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ + + + Required. type: string name: - description: "Name is an identifier for this match condition, - used for strategic merging of MatchConditions, as well - as providing an identifier for logging purposes. A good - name should be descriptive of the associated expression. - Name must be a qualified name consisting of alphanumeric - characters, '-', '_' or '.', and must start and end - with an alphanumeric character (e.g. 'MyName', or 'my.name', - \ or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') - with an optional DNS subdomain prefix and '/' (e.g. - 'example.com/MyName') \n Required." + description: |- + Name is an identifier for this match condition, used for strategic merging of MatchConditions, + as well as providing an identifier for logging purposes. A good name should be descriptive of + the associated expression. + Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and + must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or + '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an + optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') + + + Required. type: string required: - expression @@ -24784,15 +22795,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data sources - to a rule Context. Either a ConfigMap reference or a APILookup - must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the Kubernetes - API server, or other JSON web service. The data returned - is stored in the context with the name for the context - entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data sent to @@ -24814,13 +22824,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the JSON response - returned from the server. For example a JMESPath - of "items | length(@)" applied to the API server - response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across - all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -24835,22 +22844,24 @@ spec: service properties: caBundle: - description: CABundle is a PEM encoded CA bundle - which will be used to validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web service URL. - A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to be used in - the HTTP GET or POST request to the Kubernetes API - server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used by the - `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -24867,8 +22878,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests to an OCI/Docker - V2 registry to fetch image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials provides credentials @@ -24879,10 +22891,9 @@ spec: access to a registry. type: boolean providers: - description: 'Providers specifies a list of OCI - Registry names, whose authentication providers - are provided. It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers @@ -24896,21 +22907,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets - that are provided for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the ImageData struct - returned as a result of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference to a container - image in the registry. Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -24923,13 +22936,14 @@ spec: variable that can be defined inline. properties: default: - description: Default is an optional arbitrary JSON - object that the variable may take if the JMESPath + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath Expression - that can be used to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON object representable @@ -24939,10 +22953,10 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when this policy rule - should not be applied. The exclude criteria can include resource - information (e.g. kind, name, namespace, labels) and admission - review request information like the name or role. + description: |- + ExcludeResources defines when this policy rule should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. properties: all: description: All allows specifying resources which will @@ -24964,11 +22978,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -24976,58 +22989,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -25040,20 +23044,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -25073,42 +23074,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -25121,12 +23115,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -25141,32 +23133,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -25197,11 +23184,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -25209,58 +23195,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -25273,20 +23250,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -25306,42 +23280,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -25354,12 +23321,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -25374,32 +23339,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -25417,20 +23377,19 @@ spec: type: string type: array resources: - description: ResourceDescription contains information about - the resource being created or modified. Requires at least - one tag to be specified when under MatchResources. Specifying - ResourceDescription directly under match is being deprecated. + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. Please specify under "any" or "all" instead. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -25438,52 +23397,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -25495,19 +23451,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -25527,38 +23481,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -25570,12 +23521,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -25590,32 +23539,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -25631,10 +23576,10 @@ spec: description: APIVersion specifies resource apiVersion. type: string clone: - description: Clone specifies the source resource used to - populate each generated resource. At most one of Data - or Clone can be specified. If neither are provided, the - generated resource will be created with default data only. + description: |- + Clone specifies the source resource used to populate each generated resource. + At most one of Data or Clone can be specified. If neither are provided, the generated + resource will be created with default data only. properties: name: description: Name specifies name of the resource. @@ -25656,34 +23601,33 @@ spec: description: Namespace specifies source resource namespace. type: string selector: - description: Selector is a label selector. Label keys - and values in `matchLabels`. wildcard characters are - not supported. + description: |- + Selector is a label selector. Label keys and values in `matchLabels`. + wildcard characters are not supported. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -25695,21 +23639,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object data: - description: Data provides the resource declaration used - to populate each generated resource. At most one of Data - or Clone must be specified. If neither are provided, the - generated resource will be created with default data only. + description: |- + Data provides the resource declaration used to populate each generated resource. + At most one of Data or Clone must be specified. If neither are provided, the generated + resource will be created with default data only. x-kubernetes-preserve-unknown-fields: true kind: description: Kind specifies resource kind. @@ -25721,12 +23663,11 @@ spec: description: Namespace specifies resource namespace. type: string synchronize: - description: Synchronize controls if generated resources - should be kept in-sync with their source resource. If - Synchronize is set to "true" changes to generated resources - will be overwritten with resource data from Data or the - resource specified in the Clone declaration. Optional. - Defaults to "false" if not specified. + description: |- + Synchronize controls if generated resources should be kept in-sync with their source resource. + If Synchronize is set to "true" changes to generated resources will be overwritten with resource + data from Data or the resource specified in the Clone declaration. + Optional. Defaults to "false" if not specified. type: boolean uid: description: UID specifies the resource uid. @@ -25737,50 +23678,47 @@ spec: items: properties: jmesPath: - description: 'JMESPath is an optional JMESPath expression - to apply to the image value. This is useful when the - extracted image begins with a prefix like ''docker://''. - The ''trim_prefix'' function may be used to trim the - prefix: trim_prefix(@, ''docker://''). Note - Image - digest mutation may not be used when applying a JMESPAth - to an image.' + description: |- + JMESPath is an optional JMESPath expression to apply to the image value. + This is useful when the extracted image begins with a prefix like 'docker://'. + The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://'). + Note - Image digest mutation may not be used when applying a JMESPAth to an image. type: string key: - description: Key is an optional name of the field within - 'path' that will be used to uniquely identify an image. + description: |- + Key is an optional name of the field within 'path' that will be used to uniquely identify an image. Note - this field MUST be unique. type: string name: - description: Name is the entry the image will be available - under 'images.' in the context. If this field - is not defined, image entries will appear under 'images.custom'. + description: |- + Name is the entry the image will be available under 'images.' in the context. + If this field is not defined, image entries will appear under 'images.custom'. type: string path: - description: Path is the path to the object containing - the image field in a custom resource. It should be - slash-separated. Each slash-separated key must be - a valid YAML key or a wildcard '*'. Wildcard keys - are expanded in case of arrays or objects. + description: |- + Path is the path to the object containing the image field in a custom resource. + It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'. + Wildcard keys are expanded in case of arrays or objects. type: string value: - description: Value is an optional name of the field - within 'path' that points to the image URI. This is - useful when a custom 'key' is also defined. + description: |- + Value is an optional name of the field within 'path' that points to the image URI. + This is useful when a custom 'key' is also defined. type: string required: - path type: object type: array - description: ImageExtractors defines a mapping from kinds to - ImageExtractorConfigs. This config is only valid for verifyImages - rules. + description: |- + ImageExtractors defines a mapping from kinds to ImageExtractorConfigs. + This config is only valid for verifyImages rules. type: object match: - description: MatchResources defines when this policy rule should - be applied. The match criteria can include resource information - (e.g. kind, name, namespace, labels) and admission review - request information like the user name or role. At least one - kind is required. + description: |- + MatchResources defines when this policy rule should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. + At least one kind is required. properties: all: description: All allows specifying resources which will @@ -25802,11 +23740,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -25814,58 +23751,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -25878,20 +23806,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -25911,42 +23836,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -25959,12 +23877,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -25979,32 +23895,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -26035,11 +23946,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -26047,58 +23957,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -26111,20 +24012,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -26144,42 +24042,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -26192,12 +24083,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -26212,32 +24101,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -26255,20 +24139,19 @@ spec: type: string type: array resources: - description: ResourceDescription contains information about - the resource being created or modified. Requires at least - one tag to be specified when under MatchResources. Specifying - ResourceDescription directly under match is being deprecated. + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. Please specify under "any" or "all" instead. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -26276,52 +24159,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -26333,19 +24213,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -26365,38 +24243,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -26408,12 +24283,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -26428,32 +24301,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -26479,15 +24348,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data @@ -26509,14 +24377,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -26531,25 +24397,24 @@ spec: JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate the server certificate. type: string url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -26567,8 +24432,8 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. properties: imageRegistryCredentials: @@ -26581,11 +24446,9 @@ spec: insecure access to a registry. type: boolean providers: - description: 'Providers specifies a - list of OCI Registry names, whose - authentication providers are provided. - It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -26599,23 +24462,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list - of secrets that are provided for credentials. + description: |- + Secrets specifies a list of secrets that are provided for credentials. Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -26628,15 +24491,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON @@ -26649,42 +24511,41 @@ spec: description: Foreach declares a nested foreach iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which the - validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string order: - description: Order defines the iteration order on - the list. Can be Ascending to iterate from first - to last element or Descending to iterate in from - last to first element. + description: |- + Order defines the iteration order on the list. + Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element. enum: - Ascending - Descending type: string patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge - patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 - JSON Patch declarations used to modify resources. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, all of the conditions need to - pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -26698,13 +24559,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -26724,20 +24583,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, at least one of the conditions - need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -26751,13 +24608,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -26777,10 +24632,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -26789,14 +24643,15 @@ spec: type: object type: array patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge patch - used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON - Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string targets: description: Targets defines the target resources to be @@ -26812,15 +24667,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data @@ -26842,14 +24696,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -26864,25 +24716,24 @@ spec: JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate the server certificate. type: string url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -26900,8 +24751,8 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. properties: imageRegistryCredentials: @@ -26914,11 +24765,9 @@ spec: insecure access to a registry. type: boolean providers: - description: 'Providers specifies a - list of OCI Registry names, whose - authentication providers are provided. - It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -26932,23 +24781,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list - of secrets that are provided for credentials. + description: |- + Secrets specifies a list of secrets that are provided for credentials. Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -26961,15 +24810,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON @@ -26988,13 +24836,12 @@ spec: description: Namespace specifies resource namespace. type: string preconditions: - description: 'Preconditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. A direct list - of conditions (without `any` or `all` statements - is supported for backwards compatibility but will - be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true uid: description: UID specifies the resource uid. @@ -27008,27 +24855,32 @@ spec: maxLength: 63 type: string preconditions: - description: 'Preconditions are used to determine if a policy - rule should be applied by evaluating a set of conditions. - The declaration can contain nested `any` or `all` statements. - A direct list of conditions (without `any` or `all` statements - is supported for backwards compatibility but will be deprecated - in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true skipBackgroundRequests: default: true - description: SkipBackgroundRequests bypasses admission requests - that are sent by the background controller. The default value - is set to "true", it must be set to "false" to apply generate - and mutateExisting rules to those requests. + description: |- + SkipBackgroundRequests bypasses admission requests that are sent by the background controller. + The default value is set to "true", it must be set to "false" to apply + generate and mutateExisting rules to those requests. type: boolean validate: description: Validation is used to validate matching resources. properties: + allowExistingViolations: + default: true + description: AllowExistingViolations allows prexisting violating + resources to continue violating a policy. + type: boolean anyPattern: - description: AnyPattern specifies list of validation patterns. - At least one of the patterns must be satisfied for the - validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true cel: description: CEL allows validation checks using the Common @@ -27043,39 +24895,45 @@ spec: an audit annotation for an API request. properties: key: - description: "key specifies the audit annotation - key. The audit annotation keys of a ValidatingAdmissionPolicy - must be unique. The key must be a qualified - name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than - 63 bytes in length. \n The key is combined with - the resource name of the ValidatingAdmissionPolicy - to construct an audit annotation key: \"{ValidatingAdmissionPolicy - name}/{key}\". \n If an admission webhook uses - the same resource name as this ValidatingAdmissionPolicy - and the same audit annotation key, the annotation - key will be identical. In this case, the first - annotation written with the key will be included - in the audit event and all subsequent annotations - with the same key will be discarded. \n Required." + description: |- + key specifies the audit annotation key. The audit annotation keys of + a ValidatingAdmissionPolicy must be unique. The key must be a qualified + name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length. + + + The key is combined with the resource name of the + ValidatingAdmissionPolicy to construct an audit annotation key: + "{ValidatingAdmissionPolicy name}/{key}". + + + If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy + and the same audit annotation key, the annotation key will be identical. + In this case, the first annotation written with the key will be included + in the audit event and all subsequent annotations with the same key + will be discarded. + + + Required. type: string valueExpression: - description: "valueExpression represents the expression - which is evaluated by CEL to produce an audit - annotation value. The expression must evaluate - to either a string or null value. If the expression - evaluates to a string, the audit annotation - is included with the string value. If the expression - evaluates to null or empty string the audit - annotation will be omitted. The valueExpression - may be no longer than 5kb in length. If the - result of the valueExpression is more than 10kb - in length, it will be truncated to 10kb. \n - If multiple ValidatingAdmissionPolicyBinding - resources match an API request, then the valueExpression - will be evaluated for each binding. All unique - values produced by the valueExpressions will - be joined together in a comma-separated list. - \n Required." + description: |- + valueExpression represents the expression which is evaluated by CEL to + produce an audit annotation value. The expression must evaluate to either + a string or null value. If the expression evaluates to a string, the + audit annotation is included with the string value. If the expression + evaluates to null or empty string the audit annotation will be omitted. + The valueExpression may be no longer than 5kb in length. + If the result of the valueExpression is more than 10kb in length, it + will be truncated to 10kb. + + + If multiple ValidatingAdmissionPolicyBinding resources match an + API request, then the valueExpression will be evaluated for + each binding. All unique values produced by the valueExpressions + will be joined together in a comma-separated list. + + + Required. type: string required: - key @@ -27091,113 +24949,99 @@ spec: properties: expression: description: "Expression represents the expression - which will be evaluated by CEL. ref: https://github.com/google/cel-spec - CEL expressions have access to the contents - of the API request/response, organized into - CEL variables as well as some other useful variables: - \n - 'object' - The object from the incoming - request. The value is null for DELETE requests. - - 'oldObject' - The existing object. The value - is null for CREATE requests. - 'request' - Attributes - of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - - 'params' - Parameter resource referred to - by the policy binding being evaluated. Only - populated if the policy has a ParamKind. - 'namespaceObject' + which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL + expressions have access to the contents of the + API request/response, organized into CEL variables + as well as some other useful variables:\n\n\n- + 'object' - The object from the incoming request. + The value is null for DELETE requests.\n- 'oldObject' + - The existing object. The value is null for + CREATE requests.\n- 'request' - Attributes of + the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- + 'params' - Parameter resource referred to by + the policy binding being evaluated. Only populated + if the policy has a ParamKind.\n- 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped - resources. - 'variables' - Map of composited + resources.\n- 'variables' - Map of composited variables, from its name to its lazily evaluated - value. For example, a variable named 'foo' can - be accessed as 'variables.foo'. - 'authorizer' + value.\n For example, a variable named 'foo' + can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) - of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - - 'authorizer.requestResource' - A CEL ResourceCheck + of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured - with the request resource. \n The `apiVersion`, + with the\n request resource.\n\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` - are always accessible from the root of the object. - No other metadata properties are accessible. - \n Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` - are accessible. Accessible property names are + are always accessible from the root of the\nobject. + No other metadata properties are accessible.\n\n\nOnly + property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` + are accessible.\nAccessible property names are escaped according to the following rules when - accessed in the expression: - '__' escapes to - '__underscores__' - '.' escapes to '__dot__' - - '-' escapes to '__dash__' - '/' escapes to - '__slash__' - Property names that exactly match + accessed in the expression:\n- '__' escapes + to '__underscores__'\n- '.' escapes to '__dot__'\n- + '-' escapes to '__dash__'\n- '/' escapes to + '__slash__'\n- Property names that exactly match a CEL RESERVED keyword escape to '__{keyword}__'. - The keywords are: \"true\", \"false\", \"null\", - \"in\", \"as\", \"break\", \"const\", \"continue\", - \"else\", \"for\", \"function\", \"if\", \"import\", - \"let\", \"loop\", \"package\", \"namespace\", - \"return\". Examples: - Expression accessing - a property named \"namespace\": {\"Expression\": - \"object.__namespace__ > 0\"} - Expression accessing - a property named \"x-prop\": {\"Expression\": - \"object.x__dash__prop > 0\"} - Expression accessing - a property named \"redact__d\": {\"Expression\": - \"object.redact__underscores__d > 0\"} \n Equality - on arrays with list type of 'set' or 'map' ignores - element order, i.e. [1, 2] == [2, 1]. Concatenation - on arrays with x-kubernetes-list-type use the - semantics of the list type: - 'set': `X + Y` - performs a union where the array positions of - all elements in `X` are preserved and non-intersecting + The keywords are:\n\t \"true\", \"false\", + \"null\", \"in\", \"as\", \"break\", \"const\", + \"continue\", \"else\", \"for\", \"function\", + \"if\",\n\t \"import\", \"let\", \"loop\", + \"package\", \"namespace\", \"return\".\nExamples:\n + \ - Expression accessing a property named \"namespace\": + {\"Expression\": \"object.__namespace__ > 0\"}\n + \ - Expression accessing a property named \"x-prop\": + {\"Expression\": \"object.x__dash__prop > 0\"}\n + \ - Expression accessing a property named \"redact__d\": + {\"Expression\": \"object.redact__underscores__d + > 0\"}\n\n\nEquality on arrays with list type + of 'set' or 'map' ignores element order, i.e. + [1, 2] == [2, 1].\nConcatenation on arrays with + x-kubernetes-list-type use the semantics of + the list type:\n - 'set': `X + Y` performs + a union where the array positions of all elements + in `X` are preserved and\n non-intersecting elements in `Y` are appended, retaining their - partial order. - 'map': `X + Y` performs a merge - where the array positions of all keys in `X` - are preserved but the values are overwritten - by values in `Y` when the key sets of `X` and - `Y` intersect. Elements in `Y` with non-intersecting - keys are appended, retaining their partial order. - Required." + partial order.\n - 'map': `X + Y` performs + a merge where the array positions of all keys + in `X` are preserved but the values\n are + overwritten by values in `Y` when the key sets + of `X` and `Y` intersect. Elements in `Y` with\n + \ non-intersecting keys are appended, retaining + their partial order.\nRequired." type: string message: - description: 'Message represents the message displayed - when validation fails. The message is required - if the Expression contains line breaks. The - message must not contain line breaks. If unset, - the message is "failed rule: {Rule}". e.g. "must - be a URL with the host matching spec.host" If - the Expression contains line breaks. Message - is required. The message must not contain line - breaks. If unset, the message is "failed Expression: - {Expression}".' + description: |- + Message represents the message displayed when validation fails. The message is required if the Expression contains + line breaks. The message must not contain line breaks. + If unset, the message is "failed rule: {Rule}". + e.g. "must be a URL with the host matching spec.host" + If the Expression contains line breaks. Message is required. + The message must not contain line breaks. + If unset, the message is "failed Expression: {Expression}". type: string messageExpression: - description: 'messageExpression declares a CEL - expression that evaluates to the validation - failure message that is returned when this rule - fails. Since messageExpression is used as a - failure message, it must evaluate to a string. - If both message and messageExpression are present - on a validation, then messageExpression will - be used if validation fails. If messageExpression - results in a runtime error, the runtime error - is logged, and the validation failure message - is produced as if the messageExpression field - were unset. If messageExpression evaluates to - an empty string, a string with only spaces, - or a string that contains line breaks, then - the validation failure message will also be - produced as if the messageExpression field were - unset, and the fact that messageExpression produced - an empty string/string with only spaces/string - with line breaks will be logged. messageExpression - has access to all the same variables as the - `expression` except for ''authorizer'' and ''authorizer.requestResource''. - Example: "object.x must be less than max ("+string(params.max)+")"' + description: |- + messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. + Since messageExpression is used as a failure message, it must evaluate to a string. + If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. + If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced + as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string + that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and + the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. + messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'. + Example: + "object.x must be less than max ("+string(params.max)+")" type: string reason: - description: 'Reason represents a machine-readable - description of why this validation failed. If - this is the first validation in the list to - fail, this reason, as well as the corresponding - HTTP response code, are used in the HTTP response - to the client. The currently supported reasons - are: "Unauthorized", "Forbidden", "Invalid", - "RequestEntityTooLarge". If not set, StatusReasonInvalid - is used in the response to the client.' + description: |- + Reason represents a machine-readable description of why this validation failed. + If this is the first validation in the list to fail, this reason, as well as the + corresponding HTTP response code, are used in the + HTTP response to the client. + The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge". + If not set, StatusReasonInvalid is used in the response to the client. type: string required: - expression @@ -27208,13 +25052,15 @@ spec: Version. properties: apiVersion: - description: APIVersion is the API group version - the resources belong to. In format of "group/version". + description: |- + APIVersion is the API group version the resources belong to. + In format of "group/version". Required. type: string kind: - description: Kind is the API kind the resources - belong to. Required. + description: |- + Kind is the API kind the resources belong to. + Required. type: string type: object x-kubernetes-map-type: atomic @@ -27222,77 +25068,82 @@ spec: description: ParamRef references a parameter resource. properties: name: - description: "`name` is the name of the resource - being referenced. \n `name` and `selector` are - mutually exclusive properties. If one is set, - the other must be unset." + description: |- + `name` is the name of the resource being referenced. + + + `name` and `selector` are mutually exclusive properties. If one is set, + the other must be unset. type: string namespace: - description: "namespace is the namespace of the - referenced resource. Allows limiting the search - for params to a specific namespace. Applies to - both `name` and `selector` fields. \n A per-namespace - parameter may be used by specifying a namespace-scoped - `paramKind` in the policy and leaving this field - empty. \n - If `paramKind` is cluster-scoped, - this field MUST be unset. Setting this field results - in a configuration error. \n - If `paramKind` - is namespace-scoped, the namespace of the object - being evaluated for admission will be used when - this field is left unset. Take care that if this - is left empty the binding must not match any cluster-scoped - resources, which will result in an error." + description: |- + namespace is the namespace of the referenced resource. Allows limiting + the search for params to a specific namespace. Applies to both `name` and + `selector` fields. + + + A per-namespace parameter may be used by specifying a namespace-scoped + `paramKind` in the policy and leaving this field empty. + + + - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this + field results in a configuration error. + + + - If `paramKind` is namespace-scoped, the namespace of the object being + evaluated for admission will be used when this field is left unset. Take + care that if this is left empty the binding must not match any cluster-scoped + resources, which will result in an error. type: string parameterNotFoundAction: - description: "`parameterNotFoundAction` controls - the behavior of the binding when the resource - exists, and name or selector is valid, but there - are no parameters matched by the binding. If the - value is set to `Allow`, then no matched parameters - will be treated as successful validation by the - binding. If set to `Deny`, then no matched parameters - will be subject to the `failurePolicy` of the - policy. \n Allowed values are `Allow` or `Deny` - Default to `Deny`" + description: |- + `parameterNotFoundAction` controls the behavior of the binding when the resource + exists, and name or selector is valid, but there are no parameters + matched by the binding. If the value is set to `Allow`, then no + matched parameters will be treated as successful validation by the binding. + If set to `Deny`, then no matched parameters will be subject to the + `failurePolicy` of the policy. + + + Allowed values are `Allow` or `Deny` + Default to `Deny` type: string selector: - description: "selector can be used to match multiple - param objects based on their labels. Supply selector: - {} to match all resources of the ParamKind. \n - If multiple params are found, they are all evaluated - with the policy expressions and the results are - ANDed together. \n One of `name` or `selector` - must be set, but `name` and `selector` are mutually - exclusive properties. If one is set, the other - must be unset." + description: |- + selector can be used to match multiple param objects based on their labels. + Supply selector: {} to match all resources of the ParamKind. + + + If multiple params are found, they are all evaluated with the policy expressions + and the results are ANDed together. + + + One of `name` or `selector` must be set, but `name` and `selector` are + mutually exclusive properties. If one is set, the other must be unset. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -27305,40 +25156,34 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object x-kubernetes-map-type: atomic variables: - description: Variables contain definitions of variables - that can be used in composition of other expressions. + description: |- + Variables contain definitions of variables that can be used in composition of other expressions. Each variable is defined as a named CEL expression. - The variables defined here will be available under - `variables` in other expressions of the policy. + The variables defined here will be available under `variables` in other expressions of the policy. items: description: Variable is the definition of a variable that is used for composition. properties: expression: - description: Expression is the expression that - will be evaluated as the value of the variable. - The CEL expression has access to the same identifiers - as the CEL expressions in Validation. + description: |- + Expression is the expression that will be evaluated as the value of the variable. + The CEL expression has access to the same identifiers as the CEL expressions in Validation. type: string name: - description: Name is the name of the variable. - The name must be a valid CEL identifier and - unique among all variables. The variable can - be accessed in other expressions through `variables` - For example, if name is "foo", the variable - will be available as `variables.foo` + description: |- + Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables. + The variable can be accessed in other expressions through `variables` + For example, if name is "foo", the variable will be available as `variables.foo` type: string required: - expression @@ -27351,11 +25196,11 @@ spec: a validation rule. properties: conditions: - description: 'Multiple conditions can be declared under - an `any` or `all` statement. A direct list of conditions - (without `any` or `all` statements) is also supported - for backwards compatibility but will be deprecated - in the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object foreach: @@ -27369,23 +25214,22 @@ spec: the specified logic. properties: anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must be satisfied - for the validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true context: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data @@ -27407,14 +25251,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -27429,25 +25271,24 @@ spec: JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate the server certificate. type: string url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -27465,8 +25306,8 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. properties: imageRegistryCredentials: @@ -27479,11 +25320,9 @@ spec: insecure access to a registry. type: boolean providers: - description: 'Providers specifies a - list of OCI Registry names, whose - authentication providers are provided. - It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -27497,23 +25336,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list - of secrets that are provided for credentials. + description: |- + Secrets specifies a list of secrets that are provided for credentials. Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -27526,15 +25365,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON @@ -27548,47 +25386,43 @@ spec: or fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct - list of conditions (without `any` or `all` statements) - is also supported for backwards compatibility + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object elementScope: - description: ElementScope specifies whether to use - the current list element as the scope for validation. - Defaults to "true" if not specified. When set to - "false", "request.object" is used as the validation - scope within the foreach block to allow referencing - other elements in the subtree. + description: |- + ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified. + When set to "false", "request.object" is used as the validation scope within the foreach + block to allow referencing other elements in the subtree. type: boolean foreach: description: Foreach declares a nested foreach iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which the - validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string pattern: description: Pattern specifies an overlay-style pattern used to check resources. x-kubernetes-preserve-unknown-fields: true preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, all of the conditions need to - pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -27602,13 +25436,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -27628,20 +25460,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, at least one of the conditions - need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -27655,13 +25485,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -27681,10 +25509,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -27706,31 +25533,25 @@ spec: items: properties: count: - description: Count specifies the required number - of entries that must match. If the count is - null, all entries must match (a logical AND). - If the count is 1, at least one entry must match - (a logical OR). If the count contains a value - N, then N must be less than or equal to the - size of entries, and at least N entries must - match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available attestors. - An attestor can be a static key, attributes - for keyless verification, or a nested attestor - declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for image - verification. Every specified key-value - pair must exist and match in the verified - payload. The payload may contain other - key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set of @@ -27751,19 +25572,14 @@ spec: to verify. type: string ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate Timestamps - (SCTs). If the value is unset, the - default behavior by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate - Timestamp (SCT) log to check for - a certificate timestamp. Default - is false. Set to true if this - was opted out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -27771,33 +25587,25 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the root - CA certificate. Optionally may - contain intermediate CA certificates, - and may contain the leaf TSA certificate - if not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use - for a custom Rekor. If set, this - will be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -27808,8 +25616,8 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: @@ -27820,19 +25628,14 @@ spec: signing. type: object ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate Timestamps - (SCTs). If the value is unset, the - default behavior by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate - Timestamp (SCT) log to check for - a certificate timestamp. Default - is false. Set to true if this - was opted out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -27840,14 +25643,10 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the root - CA certificate. Optionally may - contain intermediate CA certificates, - and may contain the leaf TSA certificate - if not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -27855,22 +25654,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use - for a custom Rekor. If set, this - will be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -27880,10 +25675,9 @@ spec: type: string type: object roots: - description: Roots is an optional set - of PEM encoded trusted root certificates. - If not provided, the system roots - are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -27896,19 +25690,14 @@ spec: public keys. properties: ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate Timestamps - (SCTs). If the value is unset, the - default behavior by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate - Timestamp (SCT) log to check for - a certificate timestamp. Default - is false. Set to true if this - was opted out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -27916,57 +25705,41 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the root - CA certificate. Optionally may - contain intermediate CA certificates, - and may contain the leaf TSA certificate - if not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI to - the public key stored in a Key Management - System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image signatures. - The keys can be directly specified - or can be a variable reference to - a key specified in a ConfigMap (see - https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster by - specifying it in the format "k8s:///". - The named Secret must specify a key - `cosign.pub` containing the public - key used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each - key is processed as a separate staticKey - entry (.attestors[*].entries.keys) - within the set of attestors and the - count is applied across the keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use - for a custom Rekor. If set, this - will be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -28000,12 +25773,9 @@ spec: type: string type: object repository: - description: Repository is an optional alternate - OCI repository to use for signatures and - attestations that match this rule. If - specified Repository will override other - OCI image repository locations for this - Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -28046,9 +25816,9 @@ spec: type: object type: array repository: - description: Repository is an optional alternate OCI - repository to use for resource bundle reference. The - repository can be overridden per Attestor or Attestation. + description: |- + Repository is an optional alternate OCI repository to use for resource bundle reference. + The repository can be overridden per Attestor or Attestation. type: string type: object message: @@ -28060,9 +25830,9 @@ spec: used to check resources. x-kubernetes-preserve-unknown-fields: true podSecurity: - description: PodSecurity applies exemptions for Kubernetes - Pod Security admission by specifying exclusions for Pod - Security Standards controls. + description: |- + PodSecurity applies exemptions for Kubernetes Pod Security admission + by specifying exclusions for Pod Security Standards controls. properties: exclude: description: Exclude specifies the Pod Security Standard @@ -28072,8 +25842,9 @@ spec: Security Standard controls to be excluded. properties: controlName: - description: 'ControlName specifies the name of - the Pod Security Standard control. See: https://kubernetes.io/docs/concepts/security/pod-security-standards/' + description: |- + ControlName specifies the name of the Pod Security Standard control. + See: https://kubernetes.io/docs/concepts/security/pod-security-standards/ enum: - HostProcess - Host Namespaces @@ -28092,13 +25863,11 @@ spec: - Running as Non-root user type: string images: - description: 'Images selects matching containers - and applies the container level PSS. Each image - is the image name consisting of the registry - address, repository, image, and tag. Empty list - matches no containers, PSS checks are applied - at the pod level only. Wildcards (''*'' and - ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' + description: |- + Images selects matching containers and applies the container level PSS. + Each image is the image name consisting of the registry address, repository, image, and tag. + Empty list matches no containers, PSS checks are applied at the pod level only. + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -28107,19 +25876,18 @@ spec: type: object type: array level: - description: Level defines the Pod Security Standard - level to be applied to workloads. Allowed values are - privileged, baseline, and restricted. + description: |- + Level defines the Pod Security Standard level to be applied to workloads. + Allowed values are privileged, baseline, and restricted. enum: - privileged - baseline - restricted type: string version: - description: Version defines the Pod Security Standard - versions that Kubernetes supports. Allowed values - are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, - v1.26, latest. Defaults to latest. + description: |- + Version defines the Pod Security Standard versions that Kubernetes supports. + Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, latest. Defaults to latest. enum: - v1.19 - v1.20 @@ -28137,10 +25905,10 @@ spec: description: VerifyImages is used to verify image signatures and mutate them to add a digest items: - description: ImageVerification validates that images that - match the specified pattern are signed with the supplied - public key. Once the image is verified it is mutated to - include the SHA digest retrieved during the registration. + description: |- + ImageVerification validates that images that match the specified pattern + are signed with the supplied public key. Once the image is verified it is + mutated to include the SHA digest retrieved during the registration. properties: additionalExtensions: additionalProperties: @@ -28154,16 +25922,15 @@ spec: instead. type: object attestations: - description: Attestations are optional checks for signed - in-toto Statements used to verify the image. See https://github.com/in-toto/attestation. - Kyverno fetches signed attestations from the OCI registry - and decodes them into a list of Statement declarations. + description: |- + Attestations are optional checks for signed in-toto Statements used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statement declarations. items: - description: Attestation are checks for signed in-toto - Statements that are used to verify the image. See - https://github.com/in-toto/attestation. Kyverno fetches - signed attestations from the OCI registry and decodes - them into a list of Statements. + description: |- + Attestation are checks for signed in-toto Statements that are used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statements. properties: attestors: description: Attestors specify the required attestors @@ -28171,31 +25938,25 @@ spec: items: properties: count: - description: Count specifies the required - number of entries that must match. If the - count is null, all entries must match (a - logical AND). If the count is 1, at least - one entry must match (a logical OR). If - the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or - a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set @@ -28216,21 +25977,14 @@ spec: used to verify. type: string ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -28238,36 +25992,25 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -28278,9 +26021,9 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless - attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: additionalProperties: @@ -28290,21 +26033,14 @@ spec: for keyless signing. type: object ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -28312,15 +26048,10 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -28328,24 +26059,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -28355,10 +26080,9 @@ spec: type: string type: object roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, - the system roots are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -28371,21 +26095,14 @@ spec: public keys. properties: ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -28393,63 +26110,41 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI - to the public key stored in a - Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable - reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -28485,37 +26180,30 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository - will override other OCI image repository - locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array type: object type: array conditions: - description: Conditions are used to verify attributes - within a Predicate. If no Conditions are specified - the attestation check is satisfied as long there - are predicates that match the predicate type. + description: |- + Conditions are used to verify attributes within a Predicate. If no Conditions are specified + the attestation check is satisfied as long there are predicates that match the predicate type. items: - description: AnyAllConditions consists of conditions - wrapped denoting a logical criteria to be fulfilled. - AnyConditions get fulfilled when at least one - of its sub-conditions passes. AllConditions - get fulfilled only when all of its sub-conditions - pass. + description: |- + AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled. + AnyConditions get fulfilled when at least one of its sub-conditions passes. + AllConditions get fulfilled only when all of its sub-conditions pass. properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -28530,14 +26218,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -28557,20 +26242,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -28585,14 +26268,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -28612,10 +26292,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -28637,29 +26316,25 @@ spec: items: properties: count: - description: Count specifies the required number - of entries that must match. If the count is null, - all entries must match (a logical AND). If the - count is 1, at least one entry must match (a logical - OR). If the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available attestors. - An attestor can be a static key, attributes for - keyless verification, or a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for image - verification. Every specified key-value - pair must exist and match in the verified - payload. The payload may contain other key-value - pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set of Attestor @@ -28680,19 +26355,14 @@ spec: to verify. type: string ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for validation - of Signed Certificate Timestamps (SCTs). - If the value is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate Timestamp - (SCT) log to check for a certificate - timestamp. Default is false. Set - to true if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is used @@ -28700,33 +26370,25 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate chain - file for the RFC3161 timestamp authority. - Must contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use for - a custom Rekor. If set, this will - be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address of @@ -28736,8 +26398,8 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: @@ -28748,19 +26410,14 @@ spec: signing. type: object ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for validation - of Signed Certificate Timestamps (SCTs). - If the value is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate Timestamp - (SCT) log to check for a certificate - timestamp. Default is false. Set - to true if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is used @@ -28768,14 +26425,10 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate chain - file for the RFC3161 timestamp authority. - Must contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -28783,22 +26436,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use for - a custom Rekor. If set, this will - be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address of @@ -28807,10 +26456,9 @@ spec: type: string type: object roots: - description: Roots is an optional set - of PEM encoded trusted root certificates. - If not provided, the system roots are - used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified identity @@ -28823,19 +26471,14 @@ spec: keys. properties: ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for validation - of Signed Certificate Timestamps (SCTs). - If the value is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate Timestamp - (SCT) log to check for a certificate - timestamp. Default is false. Set - to true if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is used @@ -28843,56 +26486,41 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate chain - file for the RFC3161 timestamp authority. - Must contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI to - the public key stored in a Key Management - System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 public - keys used to verify image signatures. - The keys can be directly specified or - can be a variable reference to a key - specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes Secret - elsewhere in the cluster by specifying - it in the format "k8s:///". - The named Secret must specify a key - `cosign.pub` containing the public key - used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each - key is processed as a separate staticKey - entry (.attestors[*].entries.keys) within - the set of attestors and the count is - applied across the keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use for - a custom Rekor. If set, this will - be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address of @@ -28925,11 +26553,9 @@ spec: type: string type: object repository: - description: Repository is an optional alternate - OCI repository to use for signatures and - attestations that match this rule. If specified - Repository will override other OCI image - repository locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -28939,13 +26565,11 @@ spec: description: Deprecated. Use ImageReferences instead. type: string imageReferences: - description: 'ImageReferences is a list of matching image - reference patterns. At least one pattern in the list - must match the image for the rule to apply. Each image - reference consists of a registry address (defaults to - docker.io), repository, image, and tag (defaults to - latest). Wildcards (''*'' and ''?'') are allowed. See: - https://kubernetes.io/docs/concepts/containers/images.' + description: |- + ImageReferences is a list of matching image reference patterns. At least one pattern in the + list must match the image for the rule to apply. Each image reference consists of a registry + address (defaults to docker.io), repository, image, and tag (defaults to latest). + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -28958,9 +26582,9 @@ spec: access to a registry. type: boolean providers: - description: 'Providers specifies a list of OCI Registry - names, whose authentication providers are provided. - It can be of one of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers required. @@ -28973,9 +26597,9 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets that - are provided for credentials. Secrets must live - in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array @@ -28988,16 +26612,15 @@ spec: type: string mutateDigest: default: true - description: MutateDigest enables replacement of image - tags with digests. Defaults to true. + description: |- + MutateDigest enables replacement of image tags with digests. + Defaults to true. type: boolean repository: - description: Repository is an optional alternate OCI repository - to use for image signatures and attestations that match - this rule. If specified Repository will override the - default OCI image repository configured for the installation. - The repository can also be overridden per Attestor or - Attestation. + description: |- + Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule. + If specified Repository will override the default OCI image repository configured for the installation. + The repository can also be overridden per Attestor or Attestation. type: string required: default: true @@ -29012,9 +26635,9 @@ spec: description: Deprecated. Use KeylessAttestor instead. type: string type: - description: Type specifies the method of signature validation. - The allowed options are Cosign and Notary. By default - Cosign is used if a type is not specified. + description: |- + Type specifies the method of signature validation. The allowed options + are Cosign and Notary. By default Cosign is used if a type is not specified. enum: - Cosign - Notary @@ -29036,23 +26659,23 @@ spec: type: object type: array schemaValidation: - description: SchemaValidation skips validation checks for policies - as well as patched resources. Optional. The default value is set - to "true", it must be set to "false" to disable the validation checks. + description: |- + SchemaValidation skips validation checks for policies as well as patched resources. + Optional. The default value is set to "true", it must be set to "false" to disable the validation checks. type: boolean useServerSideApply: - description: UseServerSideApply controls whether to use server-side - apply for generate rules If is set to "true" create & update for - generate rules will use apply instead of create/update. Defaults - to "false" if not specified. + description: |- + UseServerSideApply controls whether to use server-side apply for generate rules + If is set to "true" create & update for generate rules will use apply instead of create/update. + Defaults to "false" if not specified. type: boolean validationFailureAction: default: Audit - description: ValidationFailureAction defines if a validation policy - rule violation should block the admission review request (enforce), - or allow (audit) the admission review request and report an error - in a policy report. Optional. Allowed values are audit or enforce. - The default value is "Audit". + description: |- + ValidationFailureAction defines if a validation policy rule violation should block + the admission review request (enforce), or allow (audit) the admission review request + and report an error in a policy report. Optional. + Allowed values are audit or enforce. The default value is "Audit". enum: - audit - enforce @@ -29060,9 +26683,9 @@ spec: - Enforce type: string validationFailureActionOverrides: - description: ValidationFailureActionOverrides is a Cluster Policy - attribute that specifies ValidationFailureAction namespace-wise. - It overrides ValidationFailureAction for the specified namespaces. + description: |- + ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction + namespace-wise. It overrides ValidationFailureAction for the specified namespaces. items: properties: action: @@ -29075,34 +26698,34 @@ spec: - Enforce type: string namespaceSelector: - description: A label selector is a label query over a set of - resources. The result of matchLabels and matchExpressions - are ANDed. An empty label selector matches all objects. A - null label selector matches no objects. + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. - If the operator is In or NotIn, the values array - must be non-empty. If the operator is Exists or - DoesNotExist, the values array must be empty. This - array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -29114,11 +26737,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -29129,11 +26751,10 @@ spec: type: object type: array webhookTimeoutSeconds: - description: WebhookTimeoutSeconds specifies the maximum time in seconds - allowed to apply this policy. After the configured time expires, - the admission request may fail, or may simply ignore the policy - results, based on the failure policy. The default timeout is 10s, - the value must be between 1 and 30 seconds. + description: |- + WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. + After the configured time expires, the admission request may fail, or may simply ignore the policy results, + based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds. format: int32 type: integer type: object @@ -29148,51 +26769,49 @@ spec: description: Rules is a list of Rule instances. It contains auto generated rules added for pod controllers items: - description: Rule defines a validation, mutation, or generation - control for matching resources. Each rules contains a match - declaration to select resources, and an optional exclude declaration - to specify which resources to exclude. + description: |- + Rule defines a validation, mutation, or generation control for matching resources. + Each rules contains a match declaration to select resources, and an optional exclude + declaration to specify which resources to exclude. properties: celPreconditions: - description: CELPreconditions are used to determine if a - policy rule should be applied by evaluating a set of CEL - conditions. It can only be used with the validate.cel - subrule + description: |- + CELPreconditions are used to determine if a policy rule should be applied by evaluating a + set of CEL conditions. It can only be used with the validate.cel subrule items: description: MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook. properties: expression: - description: "Expression represents the expression - which will be evaluated by CEL. Must evaluate to - bool. CEL expressions have access to the contents - of the AdmissionRequest and Authorizer, organized - into CEL variables: \n 'object' - The object from - the incoming request. The value is null for DELETE - requests. 'oldObject' - The existing object. The - value is null for CREATE requests. 'request' - Attributes - of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). - 'authorizer' - A CEL Authorizer. May be used to - perform authorization checks for the principal (user - or service account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - 'authorizer.requestResource' - A CEL ResourceCheck - constructed from the 'authorizer' and configured - with the request resource. Documentation on CEL: - https://kubernetes.io/docs/reference/using-api/cel/ - \n Required." + description: |- + Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. + CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: + + + 'object' - The object from the incoming request. The value is null for DELETE requests. + 'oldObject' - The existing object. The value is null for CREATE requests. + 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. + See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the + request resource. + Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ + + + Required. type: string name: - description: "Name is an identifier for this match - condition, used for strategic merging of MatchConditions, - as well as providing an identifier for logging purposes. - A good name should be descriptive of the associated - expression. Name must be a qualified name consisting - of alphanumeric characters, '-', '_' or '.', and - must start and end with an alphanumeric character - (e.g. 'MyName', or 'my.name', or '123-abc', regex - used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') - with an optional DNS subdomain prefix and '/' (e.g. - 'example.com/MyName') \n Required." + description: |- + Name is an identifier for this match condition, used for strategic merging of MatchConditions, + as well as providing an identifier for logging purposes. A good name should be descriptive of + the associated expression. + Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and + must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or + '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an + optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') + + + Required. type: string required: - expression @@ -29203,15 +26822,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data sources - to a rule Context. Either a ConfigMap reference or a - APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the Kubernetes - API server, or other JSON web service. The data - returned is stored in the context with the name - for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data sent @@ -29233,13 +26851,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON Match - Expression that can be used to transform the - JSON response returned from the server. For - example a JMESPath of "items | length(@)" applied - to the API server response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across - all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -29254,23 +26871,24 @@ spec: web service properties: caBundle: - description: CABundle is a PEM encoded CA - bundle which will be used to validate the - server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web service URL. - A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to be used - in the HTTP GET or POST request to the Kubernetes - API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used - by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -29287,8 +26905,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests to an - OCI/Docker V2 registry to fetch image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials provides @@ -29300,10 +26919,9 @@ spec: insecure access to a registry. type: boolean providers: - description: 'Providers specifies a list of - OCI Registry names, whose authentication - providers are provided. It can be of one - of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers @@ -29317,23 +26935,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets - that are provided for credentials. Secrets - must live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON Match - Expression that can be used to transform the - ImageData struct returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference to - a container image in the registry. Example: - ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -29346,14 +26964,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take if the - JMESPath expression evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform the - variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON object @@ -29363,11 +26981,10 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when this policy rule - should not be applied. The exclude criteria can include - resource information (e.g. kind, name, namespace, labels) - and admission review request information like the name - or role. + description: |- + ExcludeResources defines when this policy rule should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. properties: all: description: All allows specifying resources which will @@ -29389,10 +27006,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -29401,60 +27017,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -29467,20 +27072,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -29501,44 +27103,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -29551,12 +27144,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -29571,36 +27162,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -29630,10 +27213,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -29642,60 +27224,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -29708,20 +27279,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -29742,44 +27310,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -29792,12 +27351,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -29812,36 +27369,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -29858,21 +27407,19 @@ spec: type: string type: array resources: - description: ResourceDescription contains information - about the resource being created or modified. Requires - at least one tag to be specified when under MatchResources. - Specifying ResourceDescription directly under match - is being deprecated. Please specify under "any" or - "all" instead. + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" - (matches zero or many characters) and "?" (matches - at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -29880,57 +27427,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated in - favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key and - value but does not match an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -29943,20 +27482,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -29976,42 +27512,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) - and `?` (matches one character). Wildcards allows - writing label selectors like ["storage.k8s.io/*": - "*"]. Note that using ["*" : "*"] matches any - key and value but does not match an empty label - set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -30024,12 +27553,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -30044,32 +27571,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or - a value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the - referenced subject. Defaults to "" for ServiceAccount - subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the - Authorizer should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -30085,11 +27608,10 @@ spec: description: APIVersion specifies resource apiVersion. type: string clone: - description: Clone specifies the source resource used - to populate each generated resource. At most one of - Data or Clone can be specified. If neither are provided, - the generated resource will be created with default - data only. + description: |- + Clone specifies the source resource used to populate each generated resource. + At most one of Data or Clone can be specified. If neither are provided, the generated + resource will be created with default data only. properties: name: description: Name specifies name of the resource. @@ -30113,37 +27635,33 @@ spec: namespace. type: string selector: - description: Selector is a label selector. Label - keys and values in `matchLabels`. wildcard characters - are not supported. + description: |- + Selector is a label selector. Label keys and values in `matchLabels`. + wildcard characters are not supported. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -30156,22 +27674,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object data: - description: Data provides the resource declaration - used to populate each generated resource. At most - one of Data or Clone must be specified. If neither - are provided, the generated resource will be created - with default data only. + description: |- + Data provides the resource declaration used to populate each generated resource. + At most one of Data or Clone must be specified. If neither are provided, the generated + resource will be created with default data only. x-kubernetes-preserve-unknown-fields: true kind: description: Kind specifies resource kind. @@ -30183,11 +27698,10 @@ spec: description: Namespace specifies resource namespace. type: string synchronize: - description: Synchronize controls if generated resources - should be kept in-sync with their source resource. - If Synchronize is set to "true" changes to generated - resources will be overwritten with resource data from - Data or the resource specified in the Clone declaration. + description: |- + Synchronize controls if generated resources should be kept in-sync with their source resource. + If Synchronize is set to "true" changes to generated resources will be overwritten with resource + data from Data or the resource specified in the Clone declaration. Optional. Defaults to "false" if not specified. type: boolean uid: @@ -30199,50 +27713,46 @@ spec: items: properties: jmesPath: - description: 'JMESPath is an optional JMESPath expression - to apply to the image value. This is useful when - the extracted image begins with a prefix like - ''docker://''. The ''trim_prefix'' function may - be used to trim the prefix: trim_prefix(@, ''docker://''). - Note - Image digest mutation may not be used when - applying a JMESPAth to an image.' + description: |- + JMESPath is an optional JMESPath expression to apply to the image value. + This is useful when the extracted image begins with a prefix like 'docker://'. + The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://'). + Note - Image digest mutation may not be used when applying a JMESPAth to an image. type: string key: - description: Key is an optional name of the field - within 'path' that will be used to uniquely identify - an image. Note - this field MUST be unique. + description: |- + Key is an optional name of the field within 'path' that will be used to uniquely identify an image. + Note - this field MUST be unique. type: string name: - description: Name is the entry the image will be - available under 'images.' in the context. - If this field is not defined, image entries will - appear under 'images.custom'. + description: |- + Name is the entry the image will be available under 'images.' in the context. + If this field is not defined, image entries will appear under 'images.custom'. type: string path: - description: Path is the path to the object containing - the image field in a custom resource. It should - be slash-separated. Each slash-separated key must - be a valid YAML key or a wildcard '*'. Wildcard - keys are expanded in case of arrays or objects. + description: |- + Path is the path to the object containing the image field in a custom resource. + It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'. + Wildcard keys are expanded in case of arrays or objects. type: string value: - description: Value is an optional name of the field - within 'path' that points to the image URI. This - is useful when a custom 'key' is also defined. + description: |- + Value is an optional name of the field within 'path' that points to the image URI. + This is useful when a custom 'key' is also defined. type: string required: - path type: object type: array - description: ImageExtractors defines a mapping from kinds - to ImageExtractorConfigs. This config is only valid for - verifyImages rules. + description: |- + ImageExtractors defines a mapping from kinds to ImageExtractorConfigs. + This config is only valid for verifyImages rules. type: object match: - description: MatchResources defines when this policy rule - should be applied. The match criteria can include resource - information (e.g. kind, name, namespace, labels) and admission - review request information like the user name or role. + description: |- + MatchResources defines when this policy rule should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. At least one kind is required. properties: all: @@ -30265,10 +27775,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -30277,60 +27786,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -30343,20 +27841,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -30377,44 +27872,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -30427,12 +27913,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -30447,36 +27931,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -30506,10 +27982,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -30518,60 +27993,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -30584,20 +28048,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -30618,44 +28079,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -30668,12 +28120,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -30688,36 +28138,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -30734,21 +28176,19 @@ spec: type: string type: array resources: - description: ResourceDescription contains information - about the resource being created or modified. Requires - at least one tag to be specified when under MatchResources. - Specifying ResourceDescription directly under match - is being deprecated. Please specify under "any" or - "all" instead. + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" - (matches zero or many characters) and "?" (matches - at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -30756,57 +28196,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated in - favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key and - value but does not match an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -30819,20 +28251,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -30852,42 +28281,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) - and `?` (matches one character). Wildcards allows - writing label selectors like ["storage.k8s.io/*": - "*"]. Note that using ["*" : "*"] matches any - key and value but does not match an empty label - set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -30900,12 +28322,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -30920,32 +28340,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or - a value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the - referenced subject. Defaults to "" for ServiceAccount - subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the - Authorizer should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -30972,16 +28388,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST @@ -31004,15 +28418,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -31027,25 +28438,23 @@ spec: to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web - service URL. A typical form is + description: |- + URL is the JSON web service URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string @@ -31065,9 +28474,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials @@ -31079,11 +28488,9 @@ spec: allows insecure access to a registry. type: boolean providers: - description: 'Providers specifies - a list of OCI Registry names, - whose authentication providers - are provided. It can be of one - of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -31097,25 +28504,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a - list of secrets that are provided - for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -31129,15 +28534,14 @@ spec: defined inline. properties: default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary @@ -31152,43 +28556,41 @@ spec: iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which - the validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string order: - description: Order defines the iteration order - on the list. Can be Ascending to iterate from - first to last element or Descending to iterate - in from last to first element. + description: |- + Order defines the iteration order on the list. + Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element. enum: - Ascending - Descending type: string patchStrategicMerge: - description: PatchStrategicMerge is a strategic - merge patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC - 6902 JSON Patch declarations used to modify - resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -31203,14 +28605,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -31230,20 +28629,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -31258,14 +28655,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -31285,10 +28679,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -31297,14 +28690,15 @@ spec: type: object type: array patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge - patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON - Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string targets: description: Targets defines the target resources to @@ -31320,16 +28714,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST @@ -31352,15 +28744,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -31375,25 +28764,23 @@ spec: to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web - service URL. A typical form is + description: |- + URL is the JSON web service URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string @@ -31413,9 +28800,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials @@ -31427,11 +28814,9 @@ spec: allows insecure access to a registry. type: boolean providers: - description: 'Providers specifies - a list of OCI Registry names, - whose authentication providers - are provided. It can be of one - of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -31445,25 +28830,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a - list of secrets that are provided - for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -31477,15 +28860,14 @@ spec: defined inline. properties: default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary @@ -31505,14 +28887,12 @@ spec: description: Namespace specifies resource namespace. type: string preconditions: - description: 'Preconditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. A direct list - of conditions (without `any` or `all` statements - is supported for backwards compatibility but + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/preconditions/' + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true uid: description: UID specifies the resource uid. @@ -31526,27 +28906,32 @@ spec: maxLength: 63 type: string preconditions: - description: 'Preconditions are used to determine if a policy - rule should be applied by evaluating a set of conditions. - The declaration can contain nested `any` or `all` statements. - A direct list of conditions (without `any` or `all` statements - is supported for backwards compatibility but will be deprecated - in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true skipBackgroundRequests: default: true - description: SkipBackgroundRequests bypasses admission requests - that are sent by the background controller. The default - value is set to "true", it must be set to "false" to apply + description: |- + SkipBackgroundRequests bypasses admission requests that are sent by the background controller. + The default value is set to "true", it must be set to "false" to apply generate and mutateExisting rules to those requests. type: boolean validate: description: Validation is used to validate matching resources. properties: + allowExistingViolations: + default: true + description: AllowExistingViolations allows prexisting + violating resources to continue violating a policy. + type: boolean anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must be satisfied - for the validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true cel: description: CEL allows validation checks using the @@ -31561,41 +28946,45 @@ spec: produce an audit annotation for an API request. properties: key: - description: "key specifies the audit annotation - key. The audit annotation keys of a ValidatingAdmissionPolicy - must be unique. The key must be a qualified - name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more - than 63 bytes in length. \n The key is combined - with the resource name of the ValidatingAdmissionPolicy - to construct an audit annotation key: \"{ValidatingAdmissionPolicy - name}/{key}\". \n If an admission webhook - uses the same resource name as this ValidatingAdmissionPolicy - and the same audit annotation key, the annotation - key will be identical. In this case, the - first annotation written with the key will - be included in the audit event and all subsequent - annotations with the same key will be discarded. - \n Required." + description: |- + key specifies the audit annotation key. The audit annotation keys of + a ValidatingAdmissionPolicy must be unique. The key must be a qualified + name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length. + + + The key is combined with the resource name of the + ValidatingAdmissionPolicy to construct an audit annotation key: + "{ValidatingAdmissionPolicy name}/{key}". + + + If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy + and the same audit annotation key, the annotation key will be identical. + In this case, the first annotation written with the key will be included + in the audit event and all subsequent annotations with the same key + will be discarded. + + + Required. type: string valueExpression: - description: "valueExpression represents the - expression which is evaluated by CEL to - produce an audit annotation value. The expression - must evaluate to either a string or null - value. If the expression evaluates to a - string, the audit annotation is included - with the string value. If the expression - evaluates to null or empty string the audit - annotation will be omitted. The valueExpression - may be no longer than 5kb in length. If - the result of the valueExpression is more - than 10kb in length, it will be truncated - to 10kb. \n If multiple ValidatingAdmissionPolicyBinding - resources match an API request, then the - valueExpression will be evaluated for each - binding. All unique values produced by the - valueExpressions will be joined together - in a comma-separated list. \n Required." + description: |- + valueExpression represents the expression which is evaluated by CEL to + produce an audit annotation value. The expression must evaluate to either + a string or null value. If the expression evaluates to a string, the + audit annotation is included with the string value. If the expression + evaluates to null or empty string the audit annotation will be omitted. + The valueExpression may be no longer than 5kb in length. + If the result of the valueExpression is more than 10kb in length, it + will be truncated to 10kb. + + + If multiple ValidatingAdmissionPolicyBinding resources match an + API request, then the valueExpression will be evaluated for + each binding. All unique values produced by the valueExpressions + will be joined together in a comma-separated list. + + + Required. type: string required: - key @@ -31611,124 +29000,104 @@ spec: properties: expression: description: "Expression represents the expression - which will be evaluated by CEL. ref: https://github.com/google/cel-spec - CEL expressions have access to the contents + which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL + expressions have access to the contents of the API request/response, organized into CEL variables as well as some other useful - variables: \n - 'object' - The object from - the incoming request. The value is null - for DELETE requests. - 'oldObject' - The - existing object. The value is null for CREATE - requests. - 'request' - Attributes of the - API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - - 'params' - Parameter resource referred - to by the policy binding being evaluated. - Only populated if the policy has a ParamKind. - - 'namespaceObject' - The namespace object + variables:\n\n\n- 'object' - The object + from the incoming request. The value is + null for DELETE requests.\n- 'oldObject' + - The existing object. The value is null + for CREATE requests.\n- 'request' - Attributes + of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- + 'params' - Parameter resource referred to + by the policy binding being evaluated. Only + populated if the policy has a ParamKind.\n- + 'namespaceObject' - The namespace object that the incoming object belongs to. The - value is null for cluster-scoped resources. - - 'variables' - Map of composited variables, - from its name to its lazily evaluated value. - For example, a variable named 'foo' can - be accessed as 'variables.foo'. - 'authorizer' + value is null for cluster-scoped resources.\n- + 'variables' - Map of composited variables, + from its name to its lazily evaluated value.\n + \ For example, a variable named 'foo' can + be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user - or service account) of the request. See - https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - - 'authorizer.requestResource' - A CEL ResourceCheck + or service account) of the request.\n See + https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured - with the request resource. \n The `apiVersion`, + with the\n request resource.\n\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` - are always accessible from the root of the - object. No other metadata properties are - accessible. \n Only property names of the - form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are - accessible. Accessible property names are - escaped according to the following rules - when accessed in the expression: - '__' - escapes to '__underscores__' - '.' escapes - to '__dot__' - '-' escapes to '__dash__' - - '/' escapes to '__slash__' - Property - names that exactly match a CEL RESERVED - keyword escape to '__{keyword}__'. The keywords - are: \"true\", \"false\", \"null\", \"in\", - \"as\", \"break\", \"const\", \"continue\", - \"else\", \"for\", \"function\", \"if\", - \"import\", \"let\", \"loop\", \"package\", - \"namespace\", \"return\". Examples: - Expression - accessing a property named \"namespace\": - {\"Expression\": \"object.__namespace__ - > 0\"} - Expression accessing a property + are always accessible from the root of the\nobject. + No other metadata properties are accessible.\n\n\nOnly + property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` + are accessible.\nAccessible property names + are escaped according to the following rules + when accessed in the expression:\n- '__' + escapes to '__underscores__'\n- '.' escapes + to '__dot__'\n- '-' escapes to '__dash__'\n- + '/' escapes to '__slash__'\n- Property names + that exactly match a CEL RESERVED keyword + escape to '__{keyword}__'. The keywords + are:\n\t \"true\", \"false\", \"null\", + \"in\", \"as\", \"break\", \"const\", \"continue\", + \"else\", \"for\", \"function\", \"if\",\n\t + \ \"import\", \"let\", \"loop\", \"package\", + \"namespace\", \"return\".\nExamples:\n + \ - Expression accessing a property named + \"namespace\": {\"Expression\": \"object.__namespace__ + > 0\"}\n - Expression accessing a property named \"x-prop\": {\"Expression\": \"object.x__dash__prop - > 0\"} - Expression accessing a property + > 0\"}\n - Expression accessing a property named \"redact__d\": {\"Expression\": \"object.redact__underscores__d - > 0\"} \n Equality on arrays with list type - of 'set' or 'map' ignores element order, - i.e. [1, 2] == [2, 1]. Concatenation on + > 0\"}\n\n\nEquality on arrays with list + type of 'set' or 'map' ignores element order, + i.e. [1, 2] == [2, 1].\nConcatenation on arrays with x-kubernetes-list-type use the - semantics of the list type: - 'set': `X - + Y` performs a union where the array positions - of all elements in `X` are preserved and - non-intersecting elements in `Y` are appended, - retaining their partial order. - 'map': - `X + Y` performs a merge where the array - positions of all keys in `X` are preserved - but the values are overwritten by values - in `Y` when the key sets of `X` and `Y` - intersect. Elements in `Y` with non-intersecting - keys are appended, retaining their partial - order. Required." + semantics of the list type:\n - 'set': + `X + Y` performs a union where the array + positions of all elements in `X` are preserved + and\n non-intersecting elements in `Y` + are appended, retaining their partial order.\n + \ - 'map': `X + Y` performs a merge where + the array positions of all keys in `X` are + preserved but the values\n are overwritten + by values in `Y` when the key sets of `X` + and `Y` intersect. Elements in `Y` with\n + \ non-intersecting keys are appended, + retaining their partial order.\nRequired." type: string message: - description: 'Message represents the message - displayed when validation fails. The message - is required if the Expression contains line - breaks. The message must not contain line - breaks. If unset, the message is "failed - rule: {Rule}". e.g. "must be a URL with - the host matching spec.host" If the Expression - contains line breaks. Message is required. + description: |- + Message represents the message displayed when validation fails. The message is required if the Expression contains + line breaks. The message must not contain line breaks. + If unset, the message is "failed rule: {Rule}". + e.g. "must be a URL with the host matching spec.host" + If the Expression contains line breaks. Message is required. The message must not contain line breaks. - If unset, the message is "failed Expression: - {Expression}".' + If unset, the message is "failed Expression: {Expression}". type: string messageExpression: - description: 'messageExpression declares a - CEL expression that evaluates to the validation - failure message that is returned when this - rule fails. Since messageExpression is used - as a failure message, it must evaluate to - a string. If both message and messageExpression - are present on a validation, then messageExpression - will be used if validation fails. If messageExpression - results in a runtime error, the runtime - error is logged, and the validation failure - message is produced as if the messageExpression - field were unset. If messageExpression evaluates - to an empty string, a string with only spaces, - or a string that contains line breaks, then - the validation failure message will also - be produced as if the messageExpression - field were unset, and the fact that messageExpression - produced an empty string/string with only - spaces/string with line breaks will be logged. - messageExpression has access to all the - same variables as the `expression` except - for ''authorizer'' and ''authorizer.requestResource''. - Example: "object.x must be less than max - ("+string(params.max)+")"' + description: |- + messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. + Since messageExpression is used as a failure message, it must evaluate to a string. + If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. + If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced + as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string + that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and + the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. + messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'. + Example: + "object.x must be less than max ("+string(params.max)+")" type: string reason: - description: 'Reason represents a machine-readable - description of why this validation failed. - If this is the first validation in the list - to fail, this reason, as well as the corresponding - HTTP response code, are used in the HTTP - response to the client. The currently supported - reasons are: "Unauthorized", "Forbidden", - "Invalid", "RequestEntityTooLarge". If not - set, StatusReasonInvalid is used in the - response to the client.' + description: |- + Reason represents a machine-readable description of why this validation failed. + If this is the first validation in the list to fail, this reason, as well as the + corresponding HTTP response code, are used in the + HTTP response to the client. + The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge". + If not set, StatusReasonInvalid is used in the response to the client. type: string required: - expression @@ -31739,13 +29108,15 @@ spec: and Version. properties: apiVersion: - description: APIVersion is the API group version - the resources belong to. In format of "group/version". + description: |- + APIVersion is the API group version the resources belong to. + In format of "group/version". Required. type: string kind: - description: Kind is the API kind the resources - belong to. Required. + description: |- + Kind is the API kind the resources belong to. + Required. type: string type: object x-kubernetes-map-type: atomic @@ -31753,82 +29124,83 @@ spec: description: ParamRef references a parameter resource. properties: name: - description: "`name` is the name of the resource - being referenced. \n `name` and `selector` - are mutually exclusive properties. If one - is set, the other must be unset." + description: |- + `name` is the name of the resource being referenced. + + + `name` and `selector` are mutually exclusive properties. If one is set, + the other must be unset. type: string namespace: - description: "namespace is the namespace of - the referenced resource. Allows limiting the - search for params to a specific namespace. - Applies to both `name` and `selector` fields. - \n A per-namespace parameter may be used by - specifying a namespace-scoped `paramKind` - in the policy and leaving this field empty. - \n - If `paramKind` is cluster-scoped, this - field MUST be unset. Setting this field results - in a configuration error. \n - If `paramKind` - is namespace-scoped, the namespace of the - object being evaluated for admission will - be used when this field is left unset. Take - care that if this is left empty the binding - must not match any cluster-scoped resources, - which will result in an error." + description: |- + namespace is the namespace of the referenced resource. Allows limiting + the search for params to a specific namespace. Applies to both `name` and + `selector` fields. + + + A per-namespace parameter may be used by specifying a namespace-scoped + `paramKind` in the policy and leaving this field empty. + + + - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this + field results in a configuration error. + + + - If `paramKind` is namespace-scoped, the namespace of the object being + evaluated for admission will be used when this field is left unset. Take + care that if this is left empty the binding must not match any cluster-scoped + resources, which will result in an error. type: string parameterNotFoundAction: - description: "`parameterNotFoundAction` controls - the behavior of the binding when the resource - exists, and name or selector is valid, but - there are no parameters matched by the binding. - If the value is set to `Allow`, then no matched - parameters will be treated as successful validation - by the binding. If set to `Deny`, then no - matched parameters will be subject to the - `failurePolicy` of the policy. \n Allowed - values are `Allow` or `Deny` Default to `Deny`" + description: |- + `parameterNotFoundAction` controls the behavior of the binding when the resource + exists, and name or selector is valid, but there are no parameters + matched by the binding. If the value is set to `Allow`, then no + matched parameters will be treated as successful validation by the binding. + If set to `Deny`, then no matched parameters will be subject to the + `failurePolicy` of the policy. + + + Allowed values are `Allow` or `Deny` + Default to `Deny` type: string selector: - description: "selector can be used to match - multiple param objects based on their labels. - Supply selector: {} to match all resources - of the ParamKind. \n If multiple params are - found, they are all evaluated with the policy - expressions and the results are ANDed together. - \n One of `name` or `selector` must be set, - but `name` and `selector` are mutually exclusive - properties. If one is set, the other must - be unset." + description: |- + selector can be used to match multiple param objects based on their labels. + Supply selector: {} to match all resources of the ParamKind. + + + If multiple params are found, they are all evaluated with the policy expressions + and the results are ANDed together. + + + One of `name` or `selector` must be set, but `name` and `selector` are + mutually exclusive properties. If one is set, the other must be unset. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -31840,41 +29212,34 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object x-kubernetes-map-type: atomic variables: - description: Variables contain definitions of variables - that can be used in composition of other expressions. + description: |- + Variables contain definitions of variables that can be used in composition of other expressions. Each variable is defined as a named CEL expression. - The variables defined here will be available under - `variables` in other expressions of the policy. + The variables defined here will be available under `variables` in other expressions of the policy. items: description: Variable is the definition of a variable that is used for composition. properties: expression: - description: Expression is the expression - that will be evaluated as the value of the - variable. The CEL expression has access - to the same identifiers as the CEL expressions - in Validation. + description: |- + Expression is the expression that will be evaluated as the value of the variable. + The CEL expression has access to the same identifiers as the CEL expressions in Validation. type: string name: - description: Name is the name of the variable. - The name must be a valid CEL identifier - and unique among all variables. The variable - can be accessed in other expressions through - `variables` For example, if name is "foo", - the variable will be available as `variables.foo` + description: |- + Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables. + The variable can be accessed in other expressions through `variables` + For example, if name is "foo", the variable will be available as `variables.foo` type: string required: - expression @@ -31887,12 +29252,11 @@ spec: fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct list - of conditions (without `any` or `all` statements) - is also supported for backwards compatibility + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object foreach: @@ -31907,24 +29271,22 @@ spec: apply the specified logic. properties: anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must - be satisfied for the validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true context: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST @@ -31947,15 +29309,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -31970,25 +29329,23 @@ spec: to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web - service URL. A typical form is + description: |- + URL is the JSON web service URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string @@ -32008,9 +29365,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials @@ -32022,11 +29379,9 @@ spec: allows insecure access to a registry. type: boolean providers: - description: 'Providers specifies - a list of OCI Registry names, - whose authentication providers - are provided. It can be of one - of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -32040,25 +29395,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a - list of secrets that are provided - for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -32072,15 +29425,14 @@ spec: defined inline. properties: default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary @@ -32095,48 +29447,44 @@ spec: or fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct - list of conditions (without `any` or `all` - statements) is also supported for backwards - compatibility but will be deprecated in - the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object elementScope: - description: ElementScope specifies whether to - use the current list element as the scope for - validation. Defaults to "true" if not specified. - When set to "false", "request.object" is used - as the validation scope within the foreach block - to allow referencing other elements in the subtree. + description: |- + ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified. + When set to "false", "request.object" is used as the validation scope within the foreach + block to allow referencing other elements in the subtree. type: boolean foreach: description: Foreach declares a nested foreach iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which - the validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string pattern: description: Pattern specifies an overlay-style pattern used to check resources. x-kubernetes-preserve-unknown-fields: true preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -32151,14 +29499,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -32178,20 +29523,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -32206,14 +29549,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -32233,10 +29573,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -32259,31 +29598,25 @@ spec: items: properties: count: - description: Count specifies the required - number of entries that must match. If the - count is null, all entries must match (a - logical AND). If the count is 1, at least - one entry must match (a logical OR). If - the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or - a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set @@ -32304,21 +29637,14 @@ spec: used to verify. type: string ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -32326,36 +29652,25 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -32366,9 +29681,9 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless - attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: additionalProperties: @@ -32378,21 +29693,14 @@ spec: for keyless signing. type: object ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -32400,15 +29708,10 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -32416,24 +29719,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -32443,10 +29740,9 @@ spec: type: string type: object roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, - the system roots are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -32459,21 +29755,14 @@ spec: public keys. properties: ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -32481,63 +29770,41 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI - to the public key stored in a - Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable - reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -32573,12 +29840,9 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository - will override other OCI image repository - locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -32619,10 +29883,9 @@ spec: type: object type: array repository: - description: Repository is an optional alternate - OCI repository to use for resource bundle reference. - The repository can be overridden per Attestor - or Attestation. + description: |- + Repository is an optional alternate OCI repository to use for resource bundle reference. + The repository can be overridden per Attestor or Attestation. type: string type: object message: @@ -32634,9 +29897,9 @@ spec: used to check resources. x-kubernetes-preserve-unknown-fields: true podSecurity: - description: PodSecurity applies exemptions for Kubernetes - Pod Security admission by specifying exclusions for - Pod Security Standards controls. + description: |- + PodSecurity applies exemptions for Kubernetes Pod Security admission + by specifying exclusions for Pod Security Standards controls. properties: exclude: description: Exclude specifies the Pod Security @@ -32646,9 +29909,9 @@ spec: Pod Security Standard controls to be excluded. properties: controlName: - description: 'ControlName specifies the name - of the Pod Security Standard control. See: - https://kubernetes.io/docs/concepts/security/pod-security-standards/' + description: |- + ControlName specifies the name of the Pod Security Standard control. + See: https://kubernetes.io/docs/concepts/security/pod-security-standards/ enum: - HostProcess - Host Namespaces @@ -32667,14 +29930,11 @@ spec: - Running as Non-root user type: string images: - description: 'Images selects matching containers - and applies the container level PSS. Each - image is the image name consisting of the - registry address, repository, image, and - tag. Empty list matches no containers, PSS - checks are applied at the pod level only. - Wildcards (''*'' and ''?'') are allowed. - See: https://kubernetes.io/docs/concepts/containers/images.' + description: |- + Images selects matching containers and applies the container level PSS. + Each image is the image name consisting of the registry address, repository, image, and tag. + Empty list matches no containers, PSS checks are applied at the pod level only. + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -32683,19 +29943,18 @@ spec: type: object type: array level: - description: Level defines the Pod Security Standard - level to be applied to workloads. Allowed values - are privileged, baseline, and restricted. + description: |- + Level defines the Pod Security Standard level to be applied to workloads. + Allowed values are privileged, baseline, and restricted. enum: - privileged - baseline - restricted type: string version: - description: Version defines the Pod Security Standard - versions that Kubernetes supports. Allowed values - are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, - v1.25, v1.26, latest. Defaults to latest. + description: |- + Version defines the Pod Security Standard versions that Kubernetes supports. + Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, latest. Defaults to latest. enum: - v1.19 - v1.20 @@ -32713,10 +29972,10 @@ spec: description: VerifyImages is used to verify image signatures and mutate them to add a digest items: - description: ImageVerification validates that images that - match the specified pattern are signed with the supplied - public key. Once the image is verified it is mutated - to include the SHA digest retrieved during the registration. + description: |- + ImageVerification validates that images that match the specified pattern + are signed with the supplied public key. Once the image is verified it is + mutated to include the SHA digest retrieved during the registration. properties: additionalExtensions: additionalProperties: @@ -32730,17 +29989,15 @@ spec: instead. type: object attestations: - description: Attestations are optional checks for - signed in-toto Statements used to verify the image. - See https://github.com/in-toto/attestation. Kyverno - fetches signed attestations from the OCI registry - and decodes them into a list of Statement declarations. + description: |- + Attestations are optional checks for signed in-toto Statements used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statement declarations. items: - description: Attestation are checks for signed in-toto - Statements that are used to verify the image. - See https://github.com/in-toto/attestation. Kyverno - fetches signed attestations from the OCI registry - and decodes them into a list of Statements. + description: |- + Attestation are checks for signed in-toto Statements that are used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statements. properties: attestors: description: Attestors specify the required @@ -32748,33 +30005,25 @@ spec: items: properties: count: - description: Count specifies the required - number of entries that must match. If - the count is null, all entries must - match (a logical AND). If the count - is 1, at least one entry must match - (a logical OR). If the count contains - a value N, then N must be less than - or equal to the size of entries, and - at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static - key, attributes for keyless verification, - or a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used - for image verification. Every - specified key-value pair must - exist and match in the verified - payload. The payload may contain - other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested @@ -32795,23 +30044,14 @@ spec: certificates used to verify. type: string ctlog: - description: CTLog (certificate - timestamp log) provides a - configuration for validation - of Signed Certificate Timestamps - (SCTs). If the value is unset, - the default behavior by Cosign - is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp - (SCT) log to check for - a certificate timestamp. - Default is false. Set - to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if @@ -32820,27 +30060,16 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, - if set, is the PEM-encoded - certificate chain file - for the RFC3161 timestamp - authority. Must contain - the root CA certificate. - Optionally may contain - intermediate CA certificates, - and may contain the leaf - TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If an empty object is provided - the public instance of Rekor - (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog @@ -32848,13 +30077,9 @@ spec: verification. type: boolean pubkey: - description: RekorPubKey - is an optional PEM-encoded - public key to use for - a custom Rekor. If set, - this will be used to validate - transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the @@ -32865,9 +30090,9 @@ spec: type: object type: object keyless: - description: Keyless is a set of - attribute used to verify a Sigstore - keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: additionalProperties: @@ -32877,23 +30102,14 @@ spec: used for keyless signing. type: object ctlog: - description: CTLog (certificate - timestamp log) provides a - configuration for validation - of Signed Certificate Timestamps - (SCTs). If the value is unset, - the default behavior by Cosign - is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp - (SCT) log to check for - a certificate timestamp. - Default is false. Set - to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if @@ -32902,17 +30118,10 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, - if set, is the PEM-encoded - certificate chain file - for the RFC3161 timestamp - authority. Must contain - the root CA certificate. - Optionally may contain - intermediate CA certificates, - and may contain the leaf - TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -32920,13 +30129,9 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If an empty object is provided - the public instance of Rekor - (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog @@ -32934,13 +30139,9 @@ spec: verification. type: boolean pubkey: - description: RekorPubKey - is an optional PEM-encoded - public key to use for - a custom Rekor. If set, - this will be used to validate - transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the @@ -32950,11 +30151,9 @@ spec: type: string type: object roots: - description: Roots is an optional - set of PEM encoded trusted - root certificates. If not - provided, the system roots - are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the @@ -32968,23 +30167,14 @@ spec: or more public keys. properties: ctlog: - description: CTLog (certificate - timestamp log) provides a - configuration for validation - of Signed Certificate Timestamps - (SCTs). If the value is unset, - the default behavior by Cosign - is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp - (SCT) log to check for - a certificate timestamp. - Default is false. Set - to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if @@ -32993,56 +30183,32 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, - if set, is the PEM-encoded - certificate chain file - for the RFC3161 timestamp - authority. Must contain - the root CA certificate. - Optionally may contain - intermediate CA certificates, - and may contain the leaf - TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the - URI to the public key stored - in a Key Management System. - See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of - X.509 public keys used to - verify image signatures. The - keys can be directly specified - or can be a variable reference - to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a - separate staticKey entry (.attestors[*].entries.keys) - within the set of attestors - and the count is applied across - the keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If an empty object is provided - the public instance of Rekor - (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog @@ -33050,13 +30216,9 @@ spec: verification. type: boolean pubkey: - description: RekorPubKey - is an optional PEM-encoded - public key to use for - a custom Rekor. If set, - this will be used to validate - transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the @@ -33093,40 +30255,30 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use - for signatures and attestations - that match this rule. If specified - Repository will override other - OCI image repository locations - for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array type: object type: array conditions: - description: Conditions are used to verify attributes - within a Predicate. If no Conditions are specified - the attestation check is satisfied as long - there are predicates that match the predicate - type. + description: |- + Conditions are used to verify attributes within a Predicate. If no Conditions are specified + the attestation check is satisfied as long there are predicates that match the predicate type. items: - description: AnyAllConditions consists of - conditions wrapped denoting a logical criteria - to be fulfilled. AnyConditions get fulfilled - when at least one of its sub-conditions - passes. AllConditions get fulfilled only - when all of its sub-conditions pass. + description: |- + AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled. + AnyConditions get fulfilled when at least one of its sub-conditions passes. + AllConditions get fulfilled only when all of its sub-conditions pass. properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is - useful for finer control of when an - rule is applied. A condition can reference - object data using JMESPath notation. - Here, all of the conditions need to - pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -33141,14 +30293,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -33168,21 +30317,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is - useful for finer control of when an - rule is applied. A condition can reference - object data using JMESPath notation. - Here, at least one of the conditions - need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -33197,14 +30343,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -33224,10 +30367,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -33249,31 +30391,25 @@ spec: items: properties: count: - description: Count specifies the required number - of entries that must match. If the count is - null, all entries must match (a logical AND). - If the count is 1, at least one entry must - match (a logical OR). If the count contains - a value N, then N must be less than or equal - to the size of entries, and at least N entries - must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or a - nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set @@ -33294,21 +30430,14 @@ spec: used to verify. type: string ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior by - Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed Certificate - Timestamp (SCT) log to check - for a certificate timestamp. - Default is false. Set to true - if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -33316,35 +30445,25 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the - root CA certificate. Optionally - may contain intermediate CA - certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an - optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used to - validate transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -33355,8 +30474,8 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: @@ -33367,21 +30486,14 @@ spec: for keyless signing. type: object ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior by - Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed Certificate - Timestamp (SCT) log to check - for a certificate timestamp. - Default is false. Set to true - if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -33389,15 +30501,10 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the - root CA certificate. Optionally - may contain intermediate CA - certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -33405,23 +30512,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an - optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used to - validate transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -33431,10 +30533,9 @@ spec: type: string type: object roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, the - system roots are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -33447,21 +30548,14 @@ spec: public keys. properties: ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior by - Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed Certificate - Timestamp (SCT) log to check - for a certificate timestamp. - Default is false. Set to true - if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -33469,61 +30563,41 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the - root CA certificate. Optionally - may contain intermediate CA - certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI - to the public key stored in a Key - Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable reference - to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format "k8s:///". - The named Secret must specify a - key `cosign.pub` containing the - public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an - optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used to - validate transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -33558,12 +30632,9 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository will - override other OCI image repository - locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -33573,13 +30644,11 @@ spec: description: Deprecated. Use ImageReferences instead. type: string imageReferences: - description: 'ImageReferences is a list of matching - image reference patterns. At least one pattern in - the list must match the image for the rule to apply. - Each image reference consists of a registry address - (defaults to docker.io), repository, image, and - tag (defaults to latest). Wildcards (''*'' and ''?'') - are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' + description: |- + ImageReferences is a list of matching image reference patterns. At least one pattern in the + list must match the image for the rule to apply. Each image reference consists of a registry + address (defaults to docker.io), repository, image, and tag (defaults to latest). + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -33592,10 +30661,9 @@ spec: access to a registry. type: boolean providers: - description: 'Providers specifies a list of OCI - Registry names, whose authentication providers - are provided. It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers @@ -33609,9 +30677,9 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets - that are provided for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array @@ -33624,16 +30692,15 @@ spec: type: string mutateDigest: default: true - description: MutateDigest enables replacement of image - tags with digests. Defaults to true. + description: |- + MutateDigest enables replacement of image tags with digests. + Defaults to true. type: boolean repository: - description: Repository is an optional alternate OCI - repository to use for image signatures and attestations - that match this rule. If specified Repository will - override the default OCI image repository configured - for the installation. The repository can also be - overridden per Attestor or Attestation. + description: |- + Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule. + If specified Repository will override the default OCI image repository configured for the installation. + The repository can also be overridden per Attestor or Attestation. type: string required: default: true @@ -33648,9 +30715,9 @@ spec: description: Deprecated. Use KeylessAttestor instead. type: string type: - description: Type specifies the method of signature - validation. The allowed options are Cosign and Notary. - By default Cosign is used if a type is not specified. + description: |- + Type specifies the method of signature validation. The allowed options + are Cosign and Notary. By default Cosign is used if a type is not specified. enum: - Cosign - Notary @@ -33675,42 +30742,42 @@ spec: conditions: items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -33724,11 +30791,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -33744,8 +30812,9 @@ spec: description: Deprecated in favor of Conditions type: boolean rulecount: - description: RuleCountStatus contains four variables which describes - counts for validate, generate, mutate and verify images rules + description: |- + RuleCountStatus contains four variables which describes counts for + validate, generate, mutate and verify images rules properties: generate: description: Count for generate rules in policy @@ -33773,10 +30842,9 @@ spec: policy is generated from the policy or not type: boolean message: - description: Message is a human readable message indicating details - about the generation of validating admission policy It is an - empty string when validating admission policy is successfully - generated. + description: |- + Message is a human readable message indicating details about the generation of validating admission policy + It is an empty string when validating admission policy is successfully generated. type: string required: - generated @@ -33834,19 +30902,24 @@ spec: name: v2beta1 schema: openAPIV3Schema: - description: 'Policy declares validation, mutation, and generation behaviors - for matching resources. See: https://kyverno.io/docs/writing-policies/ for - more information.' + description: |- + Policy declares validation, mutation, and generation behaviors for matching resources. + See: https://kyverno.io/docs/writing-policies/ for more information. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -33855,94 +30928,98 @@ spec: properties: admission: default: true - description: Admission controls if rules are applied during admission. + description: |- + Admission controls if rules are applied during admission. Optional. Default value is "true". type: boolean applyRules: - description: ApplyRules controls how rules in a policy are applied. - Rule are processed in the order of declaration. When set to `One` - processing stops after a rule has been applied i.e. the rule matches - and results in a pass, fail, or error. When set to `All` all rules - in the policy are processed. The default is `All`. + description: |- + ApplyRules controls how rules in a policy are applied. Rule are processed in + the order of declaration. When set to `One` processing stops after a rule has + been applied i.e. the rule matches and results in a pass, fail, or error. When + set to `All` all rules in the policy are processed. The default is `All`. enum: - All - One type: string background: default: true - description: Background controls if rules are applied to existing - resources during a background scan. Optional. Default value is "true". - The value must be set to "false" if the policy rule uses variables - that are only available in the admission review request (e.g. user - name). + description: |- + Background controls if rules are applied to existing resources during a background scan. + Optional. Default value is "true". The value must be set to "false" if the policy rule + uses variables that are only available in the admission review request (e.g. user name). type: boolean failurePolicy: - description: FailurePolicy defines how unexpected policy errors and - webhook response timeout errors are handled. Rules within the same - policy share the same failure behavior. Allowed values are Ignore - or Fail. Defaults to Fail. + description: |- + FailurePolicy defines how unexpected policy errors and webhook response timeout errors are handled. + Rules within the same policy share the same failure behavior. + Allowed values are Ignore or Fail. Defaults to Fail. enum: - Ignore - Fail type: string generateExisting: - description: GenerateExisting controls whether to trigger generate - rule in existing resources If is set to "true" generate rule will - be triggered and applied to existing matched resources. Defaults - to "false" if not specified. + description: |- + GenerateExisting controls whether to trigger generate rule in existing resources + If is set to "true" generate rule will be triggered and applied to existing matched resources. + Defaults to "false" if not specified. type: boolean generateExistingOnPolicyUpdate: description: Deprecated, use generateExisting instead type: boolean mutateExistingOnPolicyUpdate: - description: MutateExistingOnPolicyUpdate controls if a mutateExisting - policy is applied on policy events. Default value is "false". + description: |- + MutateExistingOnPolicyUpdate controls if a mutateExisting policy is applied on policy events. + Default value is "false". type: boolean rules: - description: Rules is a list of Rule instances. A Policy contains - multiple rules and each rule can validate, mutate, or generate resources. + description: |- + Rules is a list of Rule instances. A Policy contains multiple rules and + each rule can validate, mutate, or generate resources. items: - description: Rule defines a validation, mutation, or generation - control for matching resources. Each rules contains a match declaration - to select resources, and an optional exclude declaration to specify - which resources to exclude. + description: |- + Rule defines a validation, mutation, or generation control for matching resources. + Each rules contains a match declaration to select resources, and an optional exclude + declaration to specify which resources to exclude. properties: celPreconditions: - description: CELPreconditions are used to determine if a policy - rule should be applied by evaluating a set of CEL conditions. - It can only be used with the validate.cel subrule + description: |- + CELPreconditions are used to determine if a policy rule should be applied by evaluating a + set of CEL conditions. It can only be used with the validate.cel subrule items: description: MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook. properties: expression: - description: "Expression represents the expression which - will be evaluated by CEL. Must evaluate to bool. CEL - expressions have access to the contents of the AdmissionRequest - and Authorizer, organized into CEL variables: \n 'object' - - The object from the incoming request. The value is - null for DELETE requests. 'oldObject' - The existing - object. The value is null for CREATE requests. 'request' - - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). - 'authorizer' - A CEL Authorizer. May be used to perform - authorization checks for the principal (user or service - account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - 'authorizer.requestResource' - A CEL ResourceCheck constructed - from the 'authorizer' and configured with the request - resource. Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ - \n Required." + description: |- + Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. + CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: + + + 'object' - The object from the incoming request. The value is null for DELETE requests. + 'oldObject' - The existing object. The value is null for CREATE requests. + 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. + See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the + request resource. + Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ + + + Required. type: string name: - description: "Name is an identifier for this match condition, - used for strategic merging of MatchConditions, as well - as providing an identifier for logging purposes. A good - name should be descriptive of the associated expression. - Name must be a qualified name consisting of alphanumeric - characters, '-', '_' or '.', and must start and end - with an alphanumeric character (e.g. 'MyName', or 'my.name', - \ or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') - with an optional DNS subdomain prefix and '/' (e.g. - 'example.com/MyName') \n Required." + description: |- + Name is an identifier for this match condition, used for strategic merging of MatchConditions, + as well as providing an identifier for logging purposes. A good name should be descriptive of + the associated expression. + Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and + must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or + '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an + optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') + + + Required. type: string required: - expression @@ -33953,15 +31030,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data sources - to a rule Context. Either a ConfigMap reference or a APILookup - must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the Kubernetes - API server, or other JSON web service. The data returned - is stored in the context with the name for the context - entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data sent to @@ -33983,13 +31059,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the JSON response - returned from the server. For example a JMESPath - of "items | length(@)" applied to the API server - response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across - all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -34004,22 +31079,24 @@ spec: service properties: caBundle: - description: CABundle is a PEM encoded CA bundle - which will be used to validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web service URL. - A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to be used in - the HTTP GET or POST request to the Kubernetes API - server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used by the - `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -34036,8 +31113,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests to an OCI/Docker - V2 registry to fetch image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials provides credentials @@ -34048,10 +31126,9 @@ spec: access to a registry. type: boolean providers: - description: 'Providers specifies a list of OCI - Registry names, whose authentication providers - are provided. It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers @@ -34065,21 +31142,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets - that are provided for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON Match Expression - that can be used to transform the ImageData struct - returned as a result of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference to a container - image in the registry. Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -34092,13 +31171,14 @@ spec: variable that can be defined inline. properties: default: - description: Default is an optional arbitrary JSON - object that the variable may take if the JMESPath + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath Expression - that can be used to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON object representable @@ -34108,10 +31188,10 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when this policy rule - should not be applied. The exclude criteria can include resource - information (e.g. kind, name, namespace, labels) and admission - review request information like the name or role. + description: |- + ExcludeResources defines when this policy rule should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. properties: all: description: All allows specifying resources which will @@ -34133,11 +31213,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -34145,58 +31224,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -34209,20 +31279,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -34242,42 +31309,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -34290,12 +31350,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -34310,32 +31368,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -34366,11 +31419,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -34378,58 +31430,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -34442,20 +31485,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -34475,42 +31515,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -34523,12 +31556,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -34543,32 +31574,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -34587,10 +31613,10 @@ spec: description: APIVersion specifies resource apiVersion. type: string clone: - description: Clone specifies the source resource used to - populate each generated resource. At most one of Data - or Clone can be specified. If neither are provided, the - generated resource will be created with default data only. + description: |- + Clone specifies the source resource used to populate each generated resource. + At most one of Data or Clone can be specified. If neither are provided, the generated + resource will be created with default data only. properties: name: description: Name specifies name of the resource. @@ -34612,34 +31638,33 @@ spec: description: Namespace specifies source resource namespace. type: string selector: - description: Selector is a label selector. Label keys - and values in `matchLabels`. wildcard characters are - not supported. + description: |- + Selector is a label selector. Label keys and values in `matchLabels`. + wildcard characters are not supported. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -34651,21 +31676,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object data: - description: Data provides the resource declaration used - to populate each generated resource. At most one of Data - or Clone must be specified. If neither are provided, the - generated resource will be created with default data only. + description: |- + Data provides the resource declaration used to populate each generated resource. + At most one of Data or Clone must be specified. If neither are provided, the generated + resource will be created with default data only. x-kubernetes-preserve-unknown-fields: true kind: description: Kind specifies resource kind. @@ -34677,12 +31700,11 @@ spec: description: Namespace specifies resource namespace. type: string synchronize: - description: Synchronize controls if generated resources - should be kept in-sync with their source resource. If - Synchronize is set to "true" changes to generated resources - will be overwritten with resource data from Data or the - resource specified in the Clone declaration. Optional. - Defaults to "false" if not specified. + description: |- + Synchronize controls if generated resources should be kept in-sync with their source resource. + If Synchronize is set to "true" changes to generated resources will be overwritten with resource + data from Data or the resource specified in the Clone declaration. + Optional. Defaults to "false" if not specified. type: boolean uid: description: UID specifies the resource uid. @@ -34693,50 +31715,47 @@ spec: items: properties: jmesPath: - description: 'JMESPath is an optional JMESPath expression - to apply to the image value. This is useful when the - extracted image begins with a prefix like ''docker://''. - The ''trim_prefix'' function may be used to trim the - prefix: trim_prefix(@, ''docker://''). Note - Image - digest mutation may not be used when applying a JMESPAth - to an image.' + description: |- + JMESPath is an optional JMESPath expression to apply to the image value. + This is useful when the extracted image begins with a prefix like 'docker://'. + The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://'). + Note - Image digest mutation may not be used when applying a JMESPAth to an image. type: string key: - description: Key is an optional name of the field within - 'path' that will be used to uniquely identify an image. + description: |- + Key is an optional name of the field within 'path' that will be used to uniquely identify an image. Note - this field MUST be unique. type: string name: - description: Name is the entry the image will be available - under 'images.' in the context. If this field - is not defined, image entries will appear under 'images.custom'. + description: |- + Name is the entry the image will be available under 'images.' in the context. + If this field is not defined, image entries will appear under 'images.custom'. type: string path: - description: Path is the path to the object containing - the image field in a custom resource. It should be - slash-separated. Each slash-separated key must be - a valid YAML key or a wildcard '*'. Wildcard keys - are expanded in case of arrays or objects. + description: |- + Path is the path to the object containing the image field in a custom resource. + It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'. + Wildcard keys are expanded in case of arrays or objects. type: string value: - description: Value is an optional name of the field - within 'path' that points to the image URI. This is - useful when a custom 'key' is also defined. + description: |- + Value is an optional name of the field within 'path' that points to the image URI. + This is useful when a custom 'key' is also defined. type: string required: - path type: object type: array - description: ImageExtractors defines a mapping from kinds to - ImageExtractorConfigs. This config is only valid for verifyImages - rules. + description: |- + ImageExtractors defines a mapping from kinds to ImageExtractorConfigs. + This config is only valid for verifyImages rules. type: object match: - description: MatchResources defines when this policy rule should - be applied. The match criteria can include resource information - (e.g. kind, name, namespace, labels) and admission review - request information like the user name or role. At least one - kind is required. + description: |- + MatchResources defines when this policy rule should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. + At least one kind is required. properties: all: description: All allows specifying resources which will @@ -34758,11 +31777,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -34770,58 +31788,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -34834,20 +31843,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -34867,42 +31873,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -34915,12 +31914,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -34935,32 +31932,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -34991,11 +31983,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and "?" - (matches at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -35003,58 +31994,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated - in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key - and value but does not match an empty label - set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -35067,20 +32049,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -35100,42 +32079,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the - wildcard characters `*` (matches zero or many - characters) and `?` (matches one character). - Wildcards allows writing label selectors like - ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not - match an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -35148,12 +32120,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -35168,32 +32138,27 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the - object or user identities a role binding applies - to. This can either hold a direct API object - reference, or a value for non-objects such as - user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of - the referenced subject. Defaults to "" for - ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as - "User" or "Group", and this value is not empty + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. type: string required: @@ -35222,15 +32187,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data @@ -35252,14 +32216,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -35274,25 +32236,24 @@ spec: JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate the server certificate. type: string url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -35310,8 +32271,8 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. properties: imageRegistryCredentials: @@ -35324,11 +32285,9 @@ spec: insecure access to a registry. type: boolean providers: - description: 'Providers specifies a - list of OCI Registry names, whose - authentication providers are provided. - It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -35342,23 +32301,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list - of secrets that are provided for credentials. + description: |- + Secrets specifies a list of secrets that are provided for credentials. Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -35371,15 +32330,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON @@ -35392,42 +32350,41 @@ spec: description: Foreach declares a nested foreach iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which the - validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string order: - description: Order defines the iteration order on - the list. Can be Ascending to iterate from first - to last element or Descending to iterate in from - last to first element. + description: |- + Order defines the iteration order on the list. + Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element. enum: - Ascending - Descending type: string patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge - patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 - JSON Patch declarations used to modify resources. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, all of the conditions need to - pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -35441,13 +32398,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -35467,20 +32422,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, at least one of the conditions - need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -35494,13 +32447,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -35520,10 +32471,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -35532,14 +32482,15 @@ spec: type: object type: array patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge patch - used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON - Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string targets: description: Targets defines the target resources to be @@ -35555,15 +32506,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data @@ -35585,14 +32535,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -35607,25 +32555,24 @@ spec: JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate the server certificate. type: string url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -35643,8 +32590,8 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. properties: imageRegistryCredentials: @@ -35657,11 +32604,9 @@ spec: insecure access to a registry. type: boolean providers: - description: 'Providers specifies a - list of OCI Registry names, whose - authentication providers are provided. - It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -35675,23 +32620,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list - of secrets that are provided for credentials. + description: |- + Secrets specifies a list of secrets that are provided for credentials. Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -35704,15 +32649,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON @@ -35731,13 +32675,12 @@ spec: description: Namespace specifies resource namespace. type: string preconditions: - description: 'Preconditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. A direct list - of conditions (without `any` or `all` statements - is supported for backwards compatibility but will - be deprecated in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true uid: description: UID specifies the resource uid. @@ -35751,17 +32694,17 @@ spec: maxLength: 63 type: string preconditions: - description: 'Preconditions are used to determine if a policy - rule should be applied by evaluating a set of conditions. - The declaration can contain nested `any` or `all` statements. - See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based conditional - rule execution. This is useful for finer control of when - an rule is applied. A condition can reference object data - using JMESPath notation. Here, all of the conditions need - to pass. + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass. items: properties: key: @@ -35772,11 +32715,11 @@ spec: description: Message is an optional display message type: string operator: - description: 'Operator is the conditional operation - to perform. Valid operators are: Equals, NotEquals, - In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -35794,18 +32737,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, or set - of values. The values can be fixed set or can be - variables declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based conditional - rule execution. This is useful for finer control of when - an rule is applied. A condition can reference object data - using JMESPath notation. Here, at least one of the conditions - need to pass. + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass. items: properties: key: @@ -35816,11 +32759,11 @@ spec: description: Message is an optional display message type: string operator: - description: 'Operator is the conditional operation - to perform. Valid operators are: Equals, NotEquals, - In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -35838,27 +32781,27 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, or set - of values. The values can be fixed set or can be - variables declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array type: object skipBackgroundRequests: default: true - description: SkipBackgroundRequests bypasses admission requests - that are sent by the background controller. The default value - is set to "true", it must be set to "false" to apply generate - and mutateExisting rules to those requests. + description: |- + SkipBackgroundRequests bypasses admission requests that are sent by the background controller. + The default value is set to "true", it must be set to "false" to apply + generate and mutateExisting rules to those requests. type: boolean validate: description: Validation is used to validate matching resources. properties: anyPattern: - description: AnyPattern specifies list of validation patterns. - At least one of the patterns must be satisfied for the - validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true cel: description: CEL allows validation checks using the Common @@ -35873,39 +32816,45 @@ spec: an audit annotation for an API request. properties: key: - description: "key specifies the audit annotation - key. The audit annotation keys of a ValidatingAdmissionPolicy - must be unique. The key must be a qualified - name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than - 63 bytes in length. \n The key is combined with - the resource name of the ValidatingAdmissionPolicy - to construct an audit annotation key: \"{ValidatingAdmissionPolicy - name}/{key}\". \n If an admission webhook uses - the same resource name as this ValidatingAdmissionPolicy - and the same audit annotation key, the annotation - key will be identical. In this case, the first - annotation written with the key will be included - in the audit event and all subsequent annotations - with the same key will be discarded. \n Required." + description: |- + key specifies the audit annotation key. The audit annotation keys of + a ValidatingAdmissionPolicy must be unique. The key must be a qualified + name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length. + + + The key is combined with the resource name of the + ValidatingAdmissionPolicy to construct an audit annotation key: + "{ValidatingAdmissionPolicy name}/{key}". + + + If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy + and the same audit annotation key, the annotation key will be identical. + In this case, the first annotation written with the key will be included + in the audit event and all subsequent annotations with the same key + will be discarded. + + + Required. type: string valueExpression: - description: "valueExpression represents the expression - which is evaluated by CEL to produce an audit - annotation value. The expression must evaluate - to either a string or null value. If the expression - evaluates to a string, the audit annotation - is included with the string value. If the expression - evaluates to null or empty string the audit - annotation will be omitted. The valueExpression - may be no longer than 5kb in length. If the - result of the valueExpression is more than 10kb - in length, it will be truncated to 10kb. \n - If multiple ValidatingAdmissionPolicyBinding - resources match an API request, then the valueExpression - will be evaluated for each binding. All unique - values produced by the valueExpressions will - be joined together in a comma-separated list. - \n Required." + description: |- + valueExpression represents the expression which is evaluated by CEL to + produce an audit annotation value. The expression must evaluate to either + a string or null value. If the expression evaluates to a string, the + audit annotation is included with the string value. If the expression + evaluates to null or empty string the audit annotation will be omitted. + The valueExpression may be no longer than 5kb in length. + If the result of the valueExpression is more than 10kb in length, it + will be truncated to 10kb. + + + If multiple ValidatingAdmissionPolicyBinding resources match an + API request, then the valueExpression will be evaluated for + each binding. All unique values produced by the valueExpressions + will be joined together in a comma-separated list. + + + Required. type: string required: - key @@ -35921,113 +32870,99 @@ spec: properties: expression: description: "Expression represents the expression - which will be evaluated by CEL. ref: https://github.com/google/cel-spec - CEL expressions have access to the contents - of the API request/response, organized into - CEL variables as well as some other useful variables: - \n - 'object' - The object from the incoming - request. The value is null for DELETE requests. - - 'oldObject' - The existing object. The value - is null for CREATE requests. - 'request' - Attributes - of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - - 'params' - Parameter resource referred to - by the policy binding being evaluated. Only - populated if the policy has a ParamKind. - 'namespaceObject' + which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL + expressions have access to the contents of the + API request/response, organized into CEL variables + as well as some other useful variables:\n\n\n- + 'object' - The object from the incoming request. + The value is null for DELETE requests.\n- 'oldObject' + - The existing object. The value is null for + CREATE requests.\n- 'request' - Attributes of + the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- + 'params' - Parameter resource referred to by + the policy binding being evaluated. Only populated + if the policy has a ParamKind.\n- 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped - resources. - 'variables' - Map of composited + resources.\n- 'variables' - Map of composited variables, from its name to its lazily evaluated - value. For example, a variable named 'foo' can - be accessed as 'variables.foo'. - 'authorizer' + value.\n For example, a variable named 'foo' + can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) - of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - - 'authorizer.requestResource' - A CEL ResourceCheck + of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured - with the request resource. \n The `apiVersion`, + with the\n request resource.\n\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` - are always accessible from the root of the object. - No other metadata properties are accessible. - \n Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` - are accessible. Accessible property names are + are always accessible from the root of the\nobject. + No other metadata properties are accessible.\n\n\nOnly + property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` + are accessible.\nAccessible property names are escaped according to the following rules when - accessed in the expression: - '__' escapes to - '__underscores__' - '.' escapes to '__dot__' - - '-' escapes to '__dash__' - '/' escapes to - '__slash__' - Property names that exactly match + accessed in the expression:\n- '__' escapes + to '__underscores__'\n- '.' escapes to '__dot__'\n- + '-' escapes to '__dash__'\n- '/' escapes to + '__slash__'\n- Property names that exactly match a CEL RESERVED keyword escape to '__{keyword}__'. - The keywords are: \"true\", \"false\", \"null\", - \"in\", \"as\", \"break\", \"const\", \"continue\", - \"else\", \"for\", \"function\", \"if\", \"import\", - \"let\", \"loop\", \"package\", \"namespace\", - \"return\". Examples: - Expression accessing - a property named \"namespace\": {\"Expression\": - \"object.__namespace__ > 0\"} - Expression accessing - a property named \"x-prop\": {\"Expression\": - \"object.x__dash__prop > 0\"} - Expression accessing - a property named \"redact__d\": {\"Expression\": - \"object.redact__underscores__d > 0\"} \n Equality - on arrays with list type of 'set' or 'map' ignores - element order, i.e. [1, 2] == [2, 1]. Concatenation - on arrays with x-kubernetes-list-type use the - semantics of the list type: - 'set': `X + Y` - performs a union where the array positions of - all elements in `X` are preserved and non-intersecting + The keywords are:\n\t \"true\", \"false\", + \"null\", \"in\", \"as\", \"break\", \"const\", + \"continue\", \"else\", \"for\", \"function\", + \"if\",\n\t \"import\", \"let\", \"loop\", + \"package\", \"namespace\", \"return\".\nExamples:\n + \ - Expression accessing a property named \"namespace\": + {\"Expression\": \"object.__namespace__ > 0\"}\n + \ - Expression accessing a property named \"x-prop\": + {\"Expression\": \"object.x__dash__prop > 0\"}\n + \ - Expression accessing a property named \"redact__d\": + {\"Expression\": \"object.redact__underscores__d + > 0\"}\n\n\nEquality on arrays with list type + of 'set' or 'map' ignores element order, i.e. + [1, 2] == [2, 1].\nConcatenation on arrays with + x-kubernetes-list-type use the semantics of + the list type:\n - 'set': `X + Y` performs + a union where the array positions of all elements + in `X` are preserved and\n non-intersecting elements in `Y` are appended, retaining their - partial order. - 'map': `X + Y` performs a merge - where the array positions of all keys in `X` - are preserved but the values are overwritten - by values in `Y` when the key sets of `X` and - `Y` intersect. Elements in `Y` with non-intersecting - keys are appended, retaining their partial order. - Required." + partial order.\n - 'map': `X + Y` performs + a merge where the array positions of all keys + in `X` are preserved but the values\n are + overwritten by values in `Y` when the key sets + of `X` and `Y` intersect. Elements in `Y` with\n + \ non-intersecting keys are appended, retaining + their partial order.\nRequired." type: string message: - description: 'Message represents the message displayed - when validation fails. The message is required - if the Expression contains line breaks. The - message must not contain line breaks. If unset, - the message is "failed rule: {Rule}". e.g. "must - be a URL with the host matching spec.host" If - the Expression contains line breaks. Message - is required. The message must not contain line - breaks. If unset, the message is "failed Expression: - {Expression}".' + description: |- + Message represents the message displayed when validation fails. The message is required if the Expression contains + line breaks. The message must not contain line breaks. + If unset, the message is "failed rule: {Rule}". + e.g. "must be a URL with the host matching spec.host" + If the Expression contains line breaks. Message is required. + The message must not contain line breaks. + If unset, the message is "failed Expression: {Expression}". type: string messageExpression: - description: 'messageExpression declares a CEL - expression that evaluates to the validation - failure message that is returned when this rule - fails. Since messageExpression is used as a - failure message, it must evaluate to a string. - If both message and messageExpression are present - on a validation, then messageExpression will - be used if validation fails. If messageExpression - results in a runtime error, the runtime error - is logged, and the validation failure message - is produced as if the messageExpression field - were unset. If messageExpression evaluates to - an empty string, a string with only spaces, - or a string that contains line breaks, then - the validation failure message will also be - produced as if the messageExpression field were - unset, and the fact that messageExpression produced - an empty string/string with only spaces/string - with line breaks will be logged. messageExpression - has access to all the same variables as the - `expression` except for ''authorizer'' and ''authorizer.requestResource''. - Example: "object.x must be less than max ("+string(params.max)+")"' + description: |- + messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. + Since messageExpression is used as a failure message, it must evaluate to a string. + If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. + If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced + as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string + that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and + the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. + messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'. + Example: + "object.x must be less than max ("+string(params.max)+")" type: string reason: - description: 'Reason represents a machine-readable - description of why this validation failed. If - this is the first validation in the list to - fail, this reason, as well as the corresponding - HTTP response code, are used in the HTTP response - to the client. The currently supported reasons - are: "Unauthorized", "Forbidden", "Invalid", - "RequestEntityTooLarge". If not set, StatusReasonInvalid - is used in the response to the client.' + description: |- + Reason represents a machine-readable description of why this validation failed. + If this is the first validation in the list to fail, this reason, as well as the + corresponding HTTP response code, are used in the + HTTP response to the client. + The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge". + If not set, StatusReasonInvalid is used in the response to the client. type: string required: - expression @@ -36038,13 +32973,15 @@ spec: Version. properties: apiVersion: - description: APIVersion is the API group version - the resources belong to. In format of "group/version". + description: |- + APIVersion is the API group version the resources belong to. + In format of "group/version". Required. type: string kind: - description: Kind is the API kind the resources - belong to. Required. + description: |- + Kind is the API kind the resources belong to. + Required. type: string type: object x-kubernetes-map-type: atomic @@ -36052,77 +32989,82 @@ spec: description: ParamRef references a parameter resource. properties: name: - description: "`name` is the name of the resource - being referenced. \n `name` and `selector` are - mutually exclusive properties. If one is set, - the other must be unset." + description: |- + `name` is the name of the resource being referenced. + + + `name` and `selector` are mutually exclusive properties. If one is set, + the other must be unset. type: string namespace: - description: "namespace is the namespace of the - referenced resource. Allows limiting the search - for params to a specific namespace. Applies to - both `name` and `selector` fields. \n A per-namespace - parameter may be used by specifying a namespace-scoped - `paramKind` in the policy and leaving this field - empty. \n - If `paramKind` is cluster-scoped, - this field MUST be unset. Setting this field results - in a configuration error. \n - If `paramKind` - is namespace-scoped, the namespace of the object - being evaluated for admission will be used when - this field is left unset. Take care that if this - is left empty the binding must not match any cluster-scoped - resources, which will result in an error." + description: |- + namespace is the namespace of the referenced resource. Allows limiting + the search for params to a specific namespace. Applies to both `name` and + `selector` fields. + + + A per-namespace parameter may be used by specifying a namespace-scoped + `paramKind` in the policy and leaving this field empty. + + + - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this + field results in a configuration error. + + + - If `paramKind` is namespace-scoped, the namespace of the object being + evaluated for admission will be used when this field is left unset. Take + care that if this is left empty the binding must not match any cluster-scoped + resources, which will result in an error. type: string parameterNotFoundAction: - description: "`parameterNotFoundAction` controls - the behavior of the binding when the resource - exists, and name or selector is valid, but there - are no parameters matched by the binding. If the - value is set to `Allow`, then no matched parameters - will be treated as successful validation by the - binding. If set to `Deny`, then no matched parameters - will be subject to the `failurePolicy` of the - policy. \n Allowed values are `Allow` or `Deny` - Default to `Deny`" + description: |- + `parameterNotFoundAction` controls the behavior of the binding when the resource + exists, and name or selector is valid, but there are no parameters + matched by the binding. If the value is set to `Allow`, then no + matched parameters will be treated as successful validation by the binding. + If set to `Deny`, then no matched parameters will be subject to the + `failurePolicy` of the policy. + + + Allowed values are `Allow` or `Deny` + Default to `Deny` type: string selector: - description: "selector can be used to match multiple - param objects based on their labels. Supply selector: - {} to match all resources of the ParamKind. \n - If multiple params are found, they are all evaluated - with the policy expressions and the results are - ANDed together. \n One of `name` or `selector` - must be set, but `name` and `selector` are mutually - exclusive properties. If one is set, the other - must be unset." + description: |- + selector can be used to match multiple param objects based on their labels. + Supply selector: {} to match all resources of the ParamKind. + + + If multiple params are found, they are all evaluated with the policy expressions + and the results are ANDed together. + + + One of `name` or `selector` must be set, but `name` and `selector` are + mutually exclusive properties. If one is set, the other must be unset. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -36135,40 +33077,34 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object x-kubernetes-map-type: atomic variables: - description: Variables contain definitions of variables - that can be used in composition of other expressions. + description: |- + Variables contain definitions of variables that can be used in composition of other expressions. Each variable is defined as a named CEL expression. - The variables defined here will be available under - `variables` in other expressions of the policy. + The variables defined here will be available under `variables` in other expressions of the policy. items: description: Variable is the definition of a variable that is used for composition. properties: expression: - description: Expression is the expression that - will be evaluated as the value of the variable. - The CEL expression has access to the same identifiers - as the CEL expressions in Validation. + description: |- + Expression is the expression that will be evaluated as the value of the variable. + The CEL expression has access to the same identifiers as the CEL expressions in Validation. type: string name: - description: Name is the name of the variable. - The name must be a valid CEL identifier and - unique among all variables. The variable can - be accessed in other expressions through `variables` - For example, if name is "foo", the variable - will be available as `variables.foo` + description: |- + Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables. + The variable can be accessed in other expressions through `variables` + For example, if name is "foo", the variable will be available as `variables.foo` type: string required: - expression @@ -36181,14 +33117,15 @@ spec: a validation rule. properties: conditions: - description: 'Multiple conditions can be declared under - an `any` or `all` statement. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + description: |- + Multiple conditions can be declared under an `any` or `all` statement. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A condition - can reference object data using JMESPath notation. + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. Here, all of the conditions need to pass. items: properties: @@ -36201,13 +33138,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators are: - Equals, NotEquals, In, AnyIn, AllIn, NotIn, - AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -36225,17 +33160,17 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A condition - can reference object data using JMESPath notation. + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. Here, at least one of the conditions need to pass. items: properties: @@ -36248,13 +33183,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators are: - Equals, NotEquals, In, AnyIn, AllIn, NotIn, - AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -36272,9 +33205,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -36291,23 +33224,22 @@ spec: the specified logic. properties: anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must be satisfied - for the validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true context: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data - sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the - Kubernetes API server, or other JSON web service. - The data returned is stored in the context - with the name for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data @@ -36329,14 +33261,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the JSON response returned from the server. - For example a JMESPath of "items | length(@)" - applied to the API server response for - the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -36351,25 +33281,24 @@ spec: JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to validate + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate the server certificate. type: string url: - description: URL is the JSON web service - URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to - be used in the HTTP GET or POST request - to the Kubernetes API server (e.g. "/api/v1/namespaces" - or "/apis/apps/v1/deployments"). The - format required is the same format used - by the `kubectl get --raw` command. See - https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -36387,8 +33316,8 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch image + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image details. properties: imageRegistryCredentials: @@ -36401,11 +33330,9 @@ spec: insecure access to a registry. type: boolean providers: - description: 'Providers specifies a - list of OCI Registry names, whose - authentication providers are provided. - It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -36419,23 +33346,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list - of secrets that are provided for credentials. + description: |- + Secrets specifies a list of secrets that are provided for credentials. Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON - Match Expression that can be used to transform - the ImageData struct returned as a result - of processing the image reference. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing + the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -36448,15 +33375,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take - if the JMESPath expression evaluates to - nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform - the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON @@ -36470,47 +33396,43 @@ spec: or fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct - list of conditions (without `any` or `all` statements) - is also supported for backwards compatibility + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object elementScope: - description: ElementScope specifies whether to use - the current list element as the scope for validation. - Defaults to "true" if not specified. When set to - "false", "request.object" is used as the validation - scope within the foreach block to allow referencing - other elements in the subtree. + description: |- + ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified. + When set to "false", "request.object" is used as the validation scope within the foreach + block to allow referencing other elements in the subtree. type: boolean foreach: description: Foreach declares a nested foreach iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which the - validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string pattern: description: Pattern specifies an overlay-style pattern used to check resources. x-kubernetes-preserve-unknown-fields: true preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, all of the conditions need to - pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -36524,13 +33446,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -36550,20 +33470,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful for - finer control of when an rule is applied. A - condition can reference object data using JMESPath - notation. Here, at least one of the conditions - need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -36577,13 +33495,11 @@ spec: message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, AllIn, - NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, - GreaterThan, LessThanOrEquals, LessThan, - DurationGreaterThanOrEquals, DurationGreaterThan, - DurationLessThanOrEquals, DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -36603,10 +33519,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional value, - or set of values. The values can be fixed - set or can be variables declared using - JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -36628,31 +33543,25 @@ spec: items: properties: count: - description: Count specifies the required number - of entries that must match. If the count is - null, all entries must match (a logical AND). - If the count is 1, at least one entry must match - (a logical OR). If the count contains a value - N, then N must be less than or equal to the - size of entries, and at least N entries must - match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available attestors. - An attestor can be a static key, attributes - for keyless verification, or a nested attestor - declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for image - verification. Every specified key-value - pair must exist and match in the verified - payload. The payload may contain other - key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set of @@ -36673,19 +33582,14 @@ spec: to verify. type: string ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate Timestamps - (SCTs). If the value is unset, the - default behavior by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate - Timestamp (SCT) log to check for - a certificate timestamp. Default - is false. Set to true if this - was opted out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -36693,33 +33597,25 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the root - CA certificate. Optionally may - contain intermediate CA certificates, - and may contain the leaf TSA certificate - if not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use - for a custom Rekor. If set, this - will be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -36730,8 +33626,8 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: @@ -36742,19 +33638,14 @@ spec: signing. type: object ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate Timestamps - (SCTs). If the value is unset, the - default behavior by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate - Timestamp (SCT) log to check for - a certificate timestamp. Default - is false. Set to true if this - was opted out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -36762,14 +33653,10 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the root - CA certificate. Optionally may - contain intermediate CA certificates, - and may contain the leaf TSA certificate - if not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -36777,22 +33664,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use - for a custom Rekor. If set, this - will be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -36802,10 +33685,9 @@ spec: type: string type: object roots: - description: Roots is an optional set - of PEM encoded trusted root certificates. - If not provided, the system roots - are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -36818,19 +33700,14 @@ spec: public keys. properties: ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate Timestamps - (SCTs). If the value is unset, the - default behavior by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate - Timestamp (SCT) log to check for - a certificate timestamp. Default - is false. Set to true if this - was opted out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -36838,57 +33715,41 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the root - CA certificate. Optionally may - contain intermediate CA certificates, - and may contain the leaf TSA certificate - if not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI to - the public key stored in a Key Management - System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image signatures. - The keys can be directly specified - or can be a variable reference to - a key specified in a ConfigMap (see - https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster by - specifying it in the format "k8s:///". - The named Secret must specify a key - `cosign.pub` containing the public - key used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each - key is processed as a separate staticKey - entry (.attestors[*].entries.keys) - within the set of attestors and the - count is applied across the keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use - for a custom Rekor. If set, this - will be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -36922,12 +33783,9 @@ spec: type: string type: object repository: - description: Repository is an optional alternate - OCI repository to use for signatures and - attestations that match this rule. If - specified Repository will override other - OCI image repository locations for this - Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -36968,9 +33826,9 @@ spec: type: object type: array repository: - description: Repository is an optional alternate OCI - repository to use for resource bundle reference. The - repository can be overridden per Attestor or Attestation. + description: |- + Repository is an optional alternate OCI repository to use for resource bundle reference. + The repository can be overridden per Attestor or Attestation. type: string type: object message: @@ -36982,9 +33840,9 @@ spec: used to check resources. x-kubernetes-preserve-unknown-fields: true podSecurity: - description: PodSecurity applies exemptions for Kubernetes - Pod Security admission by specifying exclusions for Pod - Security Standards controls. + description: |- + PodSecurity applies exemptions for Kubernetes Pod Security admission + by specifying exclusions for Pod Security Standards controls. properties: exclude: description: Exclude specifies the Pod Security Standard @@ -36994,8 +33852,9 @@ spec: Security Standard controls to be excluded. properties: controlName: - description: 'ControlName specifies the name of - the Pod Security Standard control. See: https://kubernetes.io/docs/concepts/security/pod-security-standards/' + description: |- + ControlName specifies the name of the Pod Security Standard control. + See: https://kubernetes.io/docs/concepts/security/pod-security-standards/ enum: - HostProcess - Host Namespaces @@ -37014,13 +33873,11 @@ spec: - Running as Non-root user type: string images: - description: 'Images selects matching containers - and applies the container level PSS. Each image - is the image name consisting of the registry - address, repository, image, and tag. Empty list - matches no containers, PSS checks are applied - at the pod level only. Wildcards (''*'' and - ''?'') are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' + description: |- + Images selects matching containers and applies the container level PSS. + Each image is the image name consisting of the registry address, repository, image, and tag. + Empty list matches no containers, PSS checks are applied at the pod level only. + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -37029,19 +33886,18 @@ spec: type: object type: array level: - description: Level defines the Pod Security Standard - level to be applied to workloads. Allowed values are - privileged, baseline, and restricted. + description: |- + Level defines the Pod Security Standard level to be applied to workloads. + Allowed values are privileged, baseline, and restricted. enum: - privileged - baseline - restricted type: string version: - description: Version defines the Pod Security Standard - versions that Kubernetes supports. Allowed values - are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, - v1.26, latest. Defaults to latest. + description: |- + Version defines the Pod Security Standard versions that Kubernetes supports. + Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, latest. Defaults to latest. enum: - v1.19 - v1.20 @@ -37059,22 +33915,21 @@ spec: description: VerifyImages is used to verify image signatures and mutate them to add a digest items: - description: ImageVerification validates that images that - match the specified pattern are signed with the supplied - public key. Once the image is verified it is mutated to - include the SHA digest retrieved during the registration. + description: |- + ImageVerification validates that images that match the specified pattern + are signed with the supplied public key. Once the image is verified it is + mutated to include the SHA digest retrieved during the registration. properties: attestations: - description: Attestations are optional checks for signed - in-toto Statements used to verify the image. See https://github.com/in-toto/attestation. - Kyverno fetches signed attestations from the OCI registry - and decodes them into a list of Statement declarations. + description: |- + Attestations are optional checks for signed in-toto Statements used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statement declarations. items: - description: Attestation are checks for signed in-toto - Statements that are used to verify the image. See - https://github.com/in-toto/attestation. Kyverno fetches - signed attestations from the OCI registry and decodes - them into a list of Statements. + description: |- + Attestation are checks for signed in-toto Statements that are used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statements. properties: attestors: description: Attestors specify the required attestors @@ -37082,31 +33937,25 @@ spec: items: properties: count: - description: Count specifies the required - number of entries that must match. If the - count is null, all entries must match (a - logical AND). If the count is 1, at least - one entry must match (a logical OR). If - the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or - a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set @@ -37127,21 +33976,14 @@ spec: used to verify. type: string ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -37149,36 +33991,25 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -37189,9 +34020,9 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless - attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: additionalProperties: @@ -37201,21 +34032,14 @@ spec: for keyless signing. type: object ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -37223,15 +34047,10 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -37239,24 +34058,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -37266,10 +34079,9 @@ spec: type: string type: object roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, - the system roots are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -37282,21 +34094,14 @@ spec: public keys. properties: ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -37304,63 +34109,41 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI - to the public key stored in a - Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable - reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -37396,37 +34179,30 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository - will override other OCI image repository - locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array type: object type: array conditions: - description: Conditions are used to verify attributes - within a Predicate. If no Conditions are specified - the attestation check is satisfied as long there - are predicates that match the predicate type. + description: |- + Conditions are used to verify attributes within a Predicate. If no Conditions are specified + the attestation check is satisfied as long there are predicates that match the predicate type. items: - description: AnyAllConditions consists of conditions - wrapped denoting a logical criteria to be fulfilled. - AnyConditions get fulfilled when at least one - of its sub-conditions passes. AllConditions - get fulfilled only when all of its sub-conditions - pass. + description: |- + AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled. + AnyConditions get fulfilled when at least one of its sub-conditions passes. + AllConditions get fulfilled only when all of its sub-conditions pass. properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -37441,14 +34217,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -37468,20 +34241,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -37496,14 +34267,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -37523,10 +34291,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -37548,29 +34315,25 @@ spec: items: properties: count: - description: Count specifies the required number - of entries that must match. If the count is null, - all entries must match (a logical AND). If the - count is 1, at least one entry must match (a logical - OR). If the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available attestors. - An attestor can be a static key, attributes for - keyless verification, or a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for image - verification. Every specified key-value - pair must exist and match in the verified - payload. The payload may contain other key-value - pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set of Attestor @@ -37591,19 +34354,14 @@ spec: to verify. type: string ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for validation - of Signed Certificate Timestamps (SCTs). - If the value is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate Timestamp - (SCT) log to check for a certificate - timestamp. Default is false. Set - to true if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is used @@ -37611,33 +34369,25 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate chain - file for the RFC3161 timestamp authority. - Must contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use for - a custom Rekor. If set, this will - be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address of @@ -37647,8 +34397,8 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: @@ -37659,19 +34409,14 @@ spec: signing. type: object ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for validation - of Signed Certificate Timestamps (SCTs). - If the value is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate Timestamp - (SCT) log to check for a certificate - timestamp. Default is false. Set - to true if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is used @@ -37679,14 +34424,10 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate chain - file for the RFC3161 timestamp authority. - Must contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -37694,22 +34435,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use for - a custom Rekor. If set, this will - be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address of @@ -37718,10 +34455,9 @@ spec: type: string type: object roots: - description: Roots is an optional set - of PEM encoded trusted root certificates. - If not provided, the system roots are - used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified identity @@ -37734,19 +34470,14 @@ spec: keys. properties: ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for validation - of Signed Certificate Timestamps (SCTs). - If the value is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines whether - to use the Signed Certificate Timestamp - (SCT) log to check for a certificate - timestamp. Default is false. Set - to true if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is used @@ -37754,56 +34485,41 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, if set, - is the PEM-encoded certificate chain - file for the RFC3161 timestamp authority. - Must contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI to - the public key stored in a Key Management - System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 public - keys used to verify image signatures. - The keys can be directly specified or - can be a variable reference to a key - specified in a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes Secret - elsewhere in the cluster by specifying - it in the format "k8s:///". - The named Secret must specify a key - `cosign.pub` containing the public key - used for verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified each - key is processed as a separate staticKey - entry (.attestors[*].entries.keys) within - the set of attestors and the count is - applied across the keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the public - instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an optional - PEM-encoded public key to use for - a custom Rekor. If set, this will - be used to validate transparency - log signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address of @@ -37836,24 +34552,20 @@ spec: type: string type: object repository: - description: Repository is an optional alternate - OCI repository to use for signatures and - attestations that match this rule. If specified - Repository will override other OCI image - repository locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array type: object type: array imageReferences: - description: 'ImageReferences is a list of matching image - reference patterns. At least one pattern in the list - must match the image for the rule to apply. Each image - reference consists of a registry address (defaults to - docker.io), repository, image, and tag (defaults to - latest). Wildcards (''*'' and ''?'') are allowed. See: - https://kubernetes.io/docs/concepts/containers/images.' + description: |- + ImageReferences is a list of matching image reference patterns. At least one pattern in the + list must match the image for the rule to apply. Each image reference consists of a registry + address (defaults to docker.io), repository, image, and tag (defaults to latest). + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -37866,9 +34578,9 @@ spec: access to a registry. type: boolean providers: - description: 'Providers specifies a list of OCI Registry - names, whose authentication providers are provided. - It can be of one of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers required. @@ -37881,25 +34593,24 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets that - are provided for credentials. Secrets must live - in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object mutateDigest: default: true - description: MutateDigest enables replacement of image - tags with digests. Defaults to true. + description: |- + MutateDigest enables replacement of image tags with digests. + Defaults to true. type: boolean repository: - description: Repository is an optional alternate OCI repository - to use for image signatures and attestations that match - this rule. If specified Repository will override the - default OCI image repository configured for the installation. - The repository can also be overridden per Attestor or - Attestation. + description: |- + Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule. + If specified Repository will override the default OCI image repository configured for the installation. + The repository can also be overridden per Attestor or Attestation. type: string required: default: true @@ -37908,9 +34619,9 @@ spec: check. type: boolean type: - description: Type specifies the method of signature validation. - The allowed options are Cosign and Notary. By default - Cosign is used if a type is not specified. + description: |- + Type specifies the method of signature validation. The allowed options + are Cosign and Notary. By default Cosign is used if a type is not specified. enum: - Cosign - Notary @@ -37932,23 +34643,23 @@ spec: type: object type: array schemaValidation: - description: SchemaValidation skips validation checks for policies - as well as patched resources. Optional. The default value is set - to "true", it must be set to "false" to disable the validation checks. + description: |- + SchemaValidation skips validation checks for policies as well as patched resources. + Optional. The default value is set to "true", it must be set to "false" to disable the validation checks. type: boolean useServerSideApply: - description: UseServerSideApply controls whether to use server-side - apply for generate rules If is set to "true" create & update for - generate rules will use apply instead of create/update. Defaults - to "false" if not specified. + description: |- + UseServerSideApply controls whether to use server-side apply for generate rules + If is set to "true" create & update for generate rules will use apply instead of create/update. + Defaults to "false" if not specified. type: boolean validationFailureAction: default: Audit - description: ValidationFailureAction defines if a validation policy - rule violation should block the admission review request (enforce), - or allow (audit) the admission review request and report an error - in a policy report. Optional. Allowed values are audit or enforce. - The default value is "Audit". + description: |- + ValidationFailureAction defines if a validation policy rule violation should block + the admission review request (enforce), or allow (audit) the admission review request + and report an error in a policy report. Optional. + Allowed values are audit or enforce. The default value is "Audit". enum: - audit - enforce @@ -37956,9 +34667,9 @@ spec: - Enforce type: string validationFailureActionOverrides: - description: ValidationFailureActionOverrides is a Cluster Policy - attribute that specifies ValidationFailureAction namespace-wise. - It overrides ValidationFailureAction for the specified namespaces. + description: |- + ValidationFailureActionOverrides is a Cluster Policy attribute that specifies ValidationFailureAction + namespace-wise. It overrides ValidationFailureAction for the specified namespaces. items: properties: action: @@ -37971,34 +34682,34 @@ spec: - Enforce type: string namespaceSelector: - description: A label selector is a label query over a set of - resources. The result of matchLabels and matchExpressions - are ANDed. An empty label selector matches all objects. A - null label selector matches no objects. + description: |- + A label selector is a label query over a set of resources. The result of matchLabels and + matchExpressions are ANDed. An empty label selector matches all objects. A null + label selector matches no objects. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. - If the operator is In or NotIn, the values array - must be non-empty. If the operator is Exists or - DoesNotExist, the values array must be empty. This - array is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -38010,11 +34721,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -38025,11 +34735,10 @@ spec: type: object type: array webhookTimeoutSeconds: - description: WebhookTimeoutSeconds specifies the maximum time in seconds - allowed to apply this policy. After the configured time expires, - the admission request may fail, or may simply ignore the policy - results, based on the failure policy. The default timeout is 10s, - the value must be between 1 and 30 seconds. + description: |- + WebhookTimeoutSeconds specifies the maximum time in seconds allowed to apply this policy. + After the configured time expires, the admission request may fail, or may simply ignore the policy results, + based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds. format: int32 type: integer type: object @@ -38043,51 +34752,49 @@ spec: description: Rules is a list of Rule instances. It contains auto generated rules added for pod controllers items: - description: Rule defines a validation, mutation, or generation - control for matching resources. Each rules contains a match - declaration to select resources, and an optional exclude declaration - to specify which resources to exclude. + description: |- + Rule defines a validation, mutation, or generation control for matching resources. + Each rules contains a match declaration to select resources, and an optional exclude + declaration to specify which resources to exclude. properties: celPreconditions: - description: CELPreconditions are used to determine if a - policy rule should be applied by evaluating a set of CEL - conditions. It can only be used with the validate.cel - subrule + description: |- + CELPreconditions are used to determine if a policy rule should be applied by evaluating a + set of CEL conditions. It can only be used with the validate.cel subrule items: description: MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook. properties: expression: - description: "Expression represents the expression - which will be evaluated by CEL. Must evaluate to - bool. CEL expressions have access to the contents - of the AdmissionRequest and Authorizer, organized - into CEL variables: \n 'object' - The object from - the incoming request. The value is null for DELETE - requests. 'oldObject' - The existing object. The - value is null for CREATE requests. 'request' - Attributes - of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). - 'authorizer' - A CEL Authorizer. May be used to - perform authorization checks for the principal (user - or service account) of the request. See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - 'authorizer.requestResource' - A CEL ResourceCheck - constructed from the 'authorizer' and configured - with the request resource. Documentation on CEL: - https://kubernetes.io/docs/reference/using-api/cel/ - \n Required." + description: |- + Expression represents the expression which will be evaluated by CEL. Must evaluate to bool. + CEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables: + + + 'object' - The object from the incoming request. The value is null for DELETE requests. + 'oldObject' - The existing object. The value is null for CREATE requests. + 'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest). + 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request. + See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the + request resource. + Documentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/ + + + Required. type: string name: - description: "Name is an identifier for this match - condition, used for strategic merging of MatchConditions, - as well as providing an identifier for logging purposes. - A good name should be descriptive of the associated - expression. Name must be a qualified name consisting - of alphanumeric characters, '-', '_' or '.', and - must start and end with an alphanumeric character - (e.g. 'MyName', or 'my.name', or '123-abc', regex - used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') - with an optional DNS subdomain prefix and '/' (e.g. - 'example.com/MyName') \n Required." + description: |- + Name is an identifier for this match condition, used for strategic merging of MatchConditions, + as well as providing an identifier for logging purposes. A good name should be descriptive of + the associated expression. + Name must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and + must start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or + '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an + optional DNS subdomain prefix and '/' (e.g. 'example.com/MyName') + + + Required. type: string required: - expression @@ -38098,15 +34805,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and data sources - to a rule Context. Either a ConfigMap reference or a - APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request to the Kubernetes - API server, or other JSON web service. The data - returned is stored in the context with the name - for the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST data sent @@ -38128,13 +34834,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional JSON Match - Expression that can be used to transform the - JSON response returned from the server. For - example a JMESPath of "items | length(@)" applied - to the API server response for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments across - all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -38149,23 +34854,24 @@ spec: web service properties: caBundle: - description: CABundle is a PEM encoded CA - bundle which will be used to validate the - server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web service URL. - A typical form is `https://{service}.{namespace}:{port}/{path}`. + description: |- + URL is the JSON web service URL. A typical form is + `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path to be used - in the HTTP GET or POST request to the Kubernetes - API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format used - by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. + See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string type: object @@ -38182,8 +34888,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests to an - OCI/Docker V2 registry to fetch image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials provides @@ -38195,10 +34902,9 @@ spec: insecure access to a registry. type: boolean providers: - description: 'Providers specifies a list of - OCI Registry names, whose authentication - providers are provided. It can be of one - of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers @@ -38212,23 +34918,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets - that are provided for credentials. Secrets - must live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional JSON Match - Expression that can be used to transform the - ImageData struct returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference to - a container image in the registry. Example: - ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -38241,14 +34947,14 @@ spec: context variable that can be defined inline. properties: default: - description: Default is an optional arbitrary - JSON object that the variable may take if the - JMESPath expression evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional JMESPath - Expression that can be used to transform the - variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary JSON object @@ -38258,11 +34964,10 @@ spec: type: object type: array exclude: - description: ExcludeResources defines when this policy rule - should not be applied. The exclude criteria can include - resource information (e.g. kind, name, namespace, labels) - and admission review request information like the name - or role. + description: |- + ExcludeResources defines when this policy rule should not be applied. The exclude + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the name or role. properties: all: description: All allows specifying resources which will @@ -38284,10 +34989,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -38296,60 +35000,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -38362,20 +35055,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -38396,44 +35086,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -38446,12 +35127,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -38466,36 +35145,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -38525,10 +35196,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -38537,60 +35207,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -38603,20 +35262,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -38637,44 +35293,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -38687,12 +35334,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -38707,36 +35352,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -38753,21 +35390,19 @@ spec: type: string type: array resources: - description: ResourceDescription contains information - about the resource being created or modified. Requires - at least one tag to be specified when under MatchResources. - Specifying ResourceDescription directly under match - is being deprecated. Please specify under "any" or - "all" instead. + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" - (matches zero or many characters) and "?" (matches - at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -38775,57 +35410,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated in - favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key and - value but does not match an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -38838,20 +35465,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -38871,42 +35495,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) - and `?` (matches one character). Wildcards allows - writing label selectors like ["storage.k8s.io/*": - "*"]. Note that using ["*" : "*"] matches any - key and value but does not match an empty label - set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -38919,12 +35536,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -38939,32 +35554,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or - a value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the - referenced subject. Defaults to "" for ServiceAccount - subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the - Authorizer should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -38980,11 +35591,10 @@ spec: description: APIVersion specifies resource apiVersion. type: string clone: - description: Clone specifies the source resource used - to populate each generated resource. At most one of - Data or Clone can be specified. If neither are provided, - the generated resource will be created with default - data only. + description: |- + Clone specifies the source resource used to populate each generated resource. + At most one of Data or Clone can be specified. If neither are provided, the generated + resource will be created with default data only. properties: name: description: Name specifies name of the resource. @@ -39008,37 +35618,33 @@ spec: namespace. type: string selector: - description: Selector is a label selector. Label - keys and values in `matchLabels`. wildcard characters - are not supported. + description: |- + Selector is a label selector. Label keys and values in `matchLabels`. + wildcard characters are not supported. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -39051,22 +35657,19 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object data: - description: Data provides the resource declaration - used to populate each generated resource. At most - one of Data or Clone must be specified. If neither - are provided, the generated resource will be created - with default data only. + description: |- + Data provides the resource declaration used to populate each generated resource. + At most one of Data or Clone must be specified. If neither are provided, the generated + resource will be created with default data only. x-kubernetes-preserve-unknown-fields: true kind: description: Kind specifies resource kind. @@ -39078,11 +35681,10 @@ spec: description: Namespace specifies resource namespace. type: string synchronize: - description: Synchronize controls if generated resources - should be kept in-sync with their source resource. - If Synchronize is set to "true" changes to generated - resources will be overwritten with resource data from - Data or the resource specified in the Clone declaration. + description: |- + Synchronize controls if generated resources should be kept in-sync with their source resource. + If Synchronize is set to "true" changes to generated resources will be overwritten with resource + data from Data or the resource specified in the Clone declaration. Optional. Defaults to "false" if not specified. type: boolean uid: @@ -39094,50 +35696,46 @@ spec: items: properties: jmesPath: - description: 'JMESPath is an optional JMESPath expression - to apply to the image value. This is useful when - the extracted image begins with a prefix like - ''docker://''. The ''trim_prefix'' function may - be used to trim the prefix: trim_prefix(@, ''docker://''). - Note - Image digest mutation may not be used when - applying a JMESPAth to an image.' + description: |- + JMESPath is an optional JMESPath expression to apply to the image value. + This is useful when the extracted image begins with a prefix like 'docker://'. + The 'trim_prefix' function may be used to trim the prefix: trim_prefix(@, 'docker://'). + Note - Image digest mutation may not be used when applying a JMESPAth to an image. type: string key: - description: Key is an optional name of the field - within 'path' that will be used to uniquely identify - an image. Note - this field MUST be unique. + description: |- + Key is an optional name of the field within 'path' that will be used to uniquely identify an image. + Note - this field MUST be unique. type: string name: - description: Name is the entry the image will be - available under 'images.' in the context. - If this field is not defined, image entries will - appear under 'images.custom'. + description: |- + Name is the entry the image will be available under 'images.' in the context. + If this field is not defined, image entries will appear under 'images.custom'. type: string path: - description: Path is the path to the object containing - the image field in a custom resource. It should - be slash-separated. Each slash-separated key must - be a valid YAML key or a wildcard '*'. Wildcard - keys are expanded in case of arrays or objects. + description: |- + Path is the path to the object containing the image field in a custom resource. + It should be slash-separated. Each slash-separated key must be a valid YAML key or a wildcard '*'. + Wildcard keys are expanded in case of arrays or objects. type: string value: - description: Value is an optional name of the field - within 'path' that points to the image URI. This - is useful when a custom 'key' is also defined. + description: |- + Value is an optional name of the field within 'path' that points to the image URI. + This is useful when a custom 'key' is also defined. type: string required: - path type: object type: array - description: ImageExtractors defines a mapping from kinds - to ImageExtractorConfigs. This config is only valid for - verifyImages rules. + description: |- + ImageExtractors defines a mapping from kinds to ImageExtractorConfigs. + This config is only valid for verifyImages rules. type: object match: - description: MatchResources defines when this policy rule - should be applied. The match criteria can include resource - information (e.g. kind, name, namespace, labels) and admission - review request information like the user name or role. + description: |- + MatchResources defines when this policy rule should be applied. The match + criteria can include resource information (e.g. kind, name, namespace, labels) + and admission review request information like the user name or role. At least one kind is required. properties: all: @@ -39160,10 +35758,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -39172,60 +35769,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -39238,20 +35824,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -39272,44 +35855,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -39322,12 +35896,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -39342,36 +35914,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -39401,10 +35965,9 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation - keys and values support the wildcard characters - "*" (matches zero or many characters) and + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). type: object kinds: @@ -39413,60 +35976,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). NOTE: "Name" is - being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" - (matches zero or many characters) and "?" - (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label - selector for the resource namespace. Label - keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character).Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -39479,20 +36031,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and - "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -39513,44 +36062,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. - Label keys and values in `matchLabels` support - the wildcard characters `*` (matches zero - or many characters) and `?` (matches one - character). Wildcards allows writing label - selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any - key and value but does not match an empty - label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents - a key's relationship to a set - of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array - of string values. If the operator - is In or NotIn, the values array - must be non-empty. If the operator - is Exists or DoesNotExist, the - values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -39563,12 +36103,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -39583,36 +36121,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to - the object or user identities a role binding - applies to. This can either hold a direct - API object reference, or a value for non-objects - such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group - of the referenced subject. Defaults to - "" for ServiceAccount subjects. Defaults - to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the - Authorizer does not recognized the kind - value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced - object. If the object kind is non-namespace, - such as "User" or "Group", and this value - is not empty the Authorizer should report - an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -39629,21 +36159,19 @@ spec: type: string type: array resources: - description: ResourceDescription contains information - about the resource being created or modified. Requires - at least one tag to be specified when under MatchResources. - Specifying ResourceDescription directly under match - is being deprecated. Please specify under "any" or - "all" instead. + description: |- + ResourceDescription contains information about the resource being created or modified. + Requires at least one tag to be specified when under MatchResources. + Specifying ResourceDescription directly under match is being deprecated. + Please specify under "any" or "all" instead. properties: annotations: additionalProperties: type: string - description: Annotations is a map of annotations - (key-value pairs of type string). Annotation keys - and values support the wildcard characters "*" - (matches zero or many characters) and "?" (matches - at least one character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -39651,57 +36179,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. - The name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). NOTE: "Name" is being deprecated in - favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one - character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` - (matches one character).Wildcards allows writing - label selectors like ["storage.k8s.io/*": "*"]. - Note that using ["*" : "*"] matches any key and - value but does not match an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -39714,20 +36234,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces - names. Each name supports wildcard characters - "*" (matches zero or many characters) and "?" - (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -39747,42 +36264,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label - keys and values in `matchLabels` support the wildcard - characters `*` (matches zero or many characters) - and `?` (matches one character). Wildcards allows - writing label selectors like ["storage.k8s.io/*": - "*"]. Note that using ["*" : "*"] matches any - key and value but does not match an empty label - set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a key, - and an operator that relates the key and - values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -39795,12 +36305,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -39815,32 +36323,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or - a value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the - referenced subject. Defaults to "" for ServiceAccount - subjects. Defaults to "rbac.authorization.k8s.io" - for User and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. - Values defined by this API group are "User", - "Group", and "ServiceAccount". If the Authorizer - does not recognized the kind value, the Authorizer - should report an error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the - Authorizer should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -39867,16 +36371,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST @@ -39899,15 +36401,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -39922,25 +36421,23 @@ spec: to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web - service URL. A typical form is + description: |- + URL is the JSON web service URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string @@ -39960,9 +36457,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials @@ -39974,11 +36471,9 @@ spec: allows insecure access to a registry. type: boolean providers: - description: 'Providers specifies - a list of OCI Registry names, - whose authentication providers - are provided. It can be of one - of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -39992,25 +36487,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a - list of secrets that are provided - for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -40024,15 +36517,14 @@ spec: defined inline. properties: default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary @@ -40047,43 +36539,41 @@ spec: iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which - the validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string order: - description: Order defines the iteration order - on the list. Can be Ascending to iterate from - first to last element or Descending to iterate - in from last to first element. + description: |- + Order defines the iteration order on the list. + Can be Ascending to iterate from first to last element or Descending to iterate in from last to first element. enum: - Ascending - Descending type: string patchStrategicMerge: - description: PatchStrategicMerge is a strategic - merge patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC - 6902 JSON Patch declarations used to modify - resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -40098,14 +36588,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -40125,20 +36612,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -40153,14 +36638,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -40180,10 +36662,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -40192,14 +36673,15 @@ spec: type: object type: array patchStrategicMerge: - description: PatchStrategicMerge is a strategic merge - patch used to modify resources. See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ + description: |- + PatchStrategicMerge is a strategic merge patch used to modify resources. + See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. x-kubernetes-preserve-unknown-fields: true patchesJson6902: - description: PatchesJSON6902 is a list of RFC 6902 JSON - Patch declarations used to modify resources. See https://tools.ietf.org/html/rfc6902 - and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. + description: |- + PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. + See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. type: string targets: description: Targets defines the target resources to @@ -40215,16 +36697,14 @@ spec: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST @@ -40247,15 +36727,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -40270,25 +36747,23 @@ spec: to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web - service URL. A typical form is + description: |- + URL is the JSON web service URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string @@ -40308,9 +36783,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials @@ -40322,11 +36797,9 @@ spec: allows insecure access to a registry. type: boolean providers: - description: 'Providers specifies - a list of OCI Registry names, - whose authentication providers - are provided. It can be of one - of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -40340,25 +36813,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a - list of secrets that are provided - for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -40372,15 +36843,14 @@ spec: defined inline. properties: default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary @@ -40400,14 +36870,12 @@ spec: description: Namespace specifies resource namespace. type: string preconditions: - description: 'Preconditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. A direct list - of conditions (without `any` or `all` statements - is supported for backwards compatibility but + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/preconditions/' + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true uid: description: UID specifies the resource uid. @@ -40421,27 +36889,32 @@ spec: maxLength: 63 type: string preconditions: - description: 'Preconditions are used to determine if a policy - rule should be applied by evaluating a set of conditions. - The declaration can contain nested `any` or `all` statements. - A direct list of conditions (without `any` or `all` statements - is supported for backwards compatibility but will be deprecated - in the next major release. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + Preconditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. A direct list + of conditions (without `any` or `all` statements is supported for backwards compatibility but + will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/preconditions/ x-kubernetes-preserve-unknown-fields: true skipBackgroundRequests: default: true - description: SkipBackgroundRequests bypasses admission requests - that are sent by the background controller. The default - value is set to "true", it must be set to "false" to apply + description: |- + SkipBackgroundRequests bypasses admission requests that are sent by the background controller. + The default value is set to "true", it must be set to "false" to apply generate and mutateExisting rules to those requests. type: boolean validate: description: Validation is used to validate matching resources. properties: + allowExistingViolations: + default: true + description: AllowExistingViolations allows prexisting + violating resources to continue violating a policy. + type: boolean anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must be satisfied - for the validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true cel: description: CEL allows validation checks using the @@ -40456,41 +36929,45 @@ spec: produce an audit annotation for an API request. properties: key: - description: "key specifies the audit annotation - key. The audit annotation keys of a ValidatingAdmissionPolicy - must be unique. The key must be a qualified - name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more - than 63 bytes in length. \n The key is combined - with the resource name of the ValidatingAdmissionPolicy - to construct an audit annotation key: \"{ValidatingAdmissionPolicy - name}/{key}\". \n If an admission webhook - uses the same resource name as this ValidatingAdmissionPolicy - and the same audit annotation key, the annotation - key will be identical. In this case, the - first annotation written with the key will - be included in the audit event and all subsequent - annotations with the same key will be discarded. - \n Required." + description: |- + key specifies the audit annotation key. The audit annotation keys of + a ValidatingAdmissionPolicy must be unique. The key must be a qualified + name ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length. + + + The key is combined with the resource name of the + ValidatingAdmissionPolicy to construct an audit annotation key: + "{ValidatingAdmissionPolicy name}/{key}". + + + If an admission webhook uses the same resource name as this ValidatingAdmissionPolicy + and the same audit annotation key, the annotation key will be identical. + In this case, the first annotation written with the key will be included + in the audit event and all subsequent annotations with the same key + will be discarded. + + + Required. type: string valueExpression: - description: "valueExpression represents the - expression which is evaluated by CEL to - produce an audit annotation value. The expression - must evaluate to either a string or null - value. If the expression evaluates to a - string, the audit annotation is included - with the string value. If the expression - evaluates to null or empty string the audit - annotation will be omitted. The valueExpression - may be no longer than 5kb in length. If - the result of the valueExpression is more - than 10kb in length, it will be truncated - to 10kb. \n If multiple ValidatingAdmissionPolicyBinding - resources match an API request, then the - valueExpression will be evaluated for each - binding. All unique values produced by the - valueExpressions will be joined together - in a comma-separated list. \n Required." + description: |- + valueExpression represents the expression which is evaluated by CEL to + produce an audit annotation value. The expression must evaluate to either + a string or null value. If the expression evaluates to a string, the + audit annotation is included with the string value. If the expression + evaluates to null or empty string the audit annotation will be omitted. + The valueExpression may be no longer than 5kb in length. + If the result of the valueExpression is more than 10kb in length, it + will be truncated to 10kb. + + + If multiple ValidatingAdmissionPolicyBinding resources match an + API request, then the valueExpression will be evaluated for + each binding. All unique values produced by the valueExpressions + will be joined together in a comma-separated list. + + + Required. type: string required: - key @@ -40506,124 +36983,104 @@ spec: properties: expression: description: "Expression represents the expression - which will be evaluated by CEL. ref: https://github.com/google/cel-spec - CEL expressions have access to the contents + which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL + expressions have access to the contents of the API request/response, organized into CEL variables as well as some other useful - variables: \n - 'object' - The object from - the incoming request. The value is null - for DELETE requests. - 'oldObject' - The - existing object. The value is null for CREATE - requests. - 'request' - Attributes of the - API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)). - - 'params' - Parameter resource referred - to by the policy binding being evaluated. - Only populated if the policy has a ParamKind. - - 'namespaceObject' - The namespace object + variables:\n\n\n- 'object' - The object + from the incoming request. The value is + null for DELETE requests.\n- 'oldObject' + - The existing object. The value is null + for CREATE requests.\n- 'request' - Attributes + of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- + 'params' - Parameter resource referred to + by the policy binding being evaluated. Only + populated if the policy has a ParamKind.\n- + 'namespaceObject' - The namespace object that the incoming object belongs to. The - value is null for cluster-scoped resources. - - 'variables' - Map of composited variables, - from its name to its lazily evaluated value. - For example, a variable named 'foo' can - be accessed as 'variables.foo'. - 'authorizer' + value is null for cluster-scoped resources.\n- + 'variables' - Map of composited variables, + from its name to its lazily evaluated value.\n + \ For example, a variable named 'foo' can + be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user - or service account) of the request. See - https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz - - 'authorizer.requestResource' - A CEL ResourceCheck + or service account) of the request.\n See + https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- + 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured - with the request resource. \n The `apiVersion`, + with the\n request resource.\n\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` - are always accessible from the root of the - object. No other metadata properties are - accessible. \n Only property names of the - form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are - accessible. Accessible property names are - escaped according to the following rules - when accessed in the expression: - '__' - escapes to '__underscores__' - '.' escapes - to '__dot__' - '-' escapes to '__dash__' - - '/' escapes to '__slash__' - Property - names that exactly match a CEL RESERVED - keyword escape to '__{keyword}__'. The keywords - are: \"true\", \"false\", \"null\", \"in\", - \"as\", \"break\", \"const\", \"continue\", - \"else\", \"for\", \"function\", \"if\", - \"import\", \"let\", \"loop\", \"package\", - \"namespace\", \"return\". Examples: - Expression - accessing a property named \"namespace\": - {\"Expression\": \"object.__namespace__ - > 0\"} - Expression accessing a property + are always accessible from the root of the\nobject. + No other metadata properties are accessible.\n\n\nOnly + property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` + are accessible.\nAccessible property names + are escaped according to the following rules + when accessed in the expression:\n- '__' + escapes to '__underscores__'\n- '.' escapes + to '__dot__'\n- '-' escapes to '__dash__'\n- + '/' escapes to '__slash__'\n- Property names + that exactly match a CEL RESERVED keyword + escape to '__{keyword}__'. The keywords + are:\n\t \"true\", \"false\", \"null\", + \"in\", \"as\", \"break\", \"const\", \"continue\", + \"else\", \"for\", \"function\", \"if\",\n\t + \ \"import\", \"let\", \"loop\", \"package\", + \"namespace\", \"return\".\nExamples:\n + \ - Expression accessing a property named + \"namespace\": {\"Expression\": \"object.__namespace__ + > 0\"}\n - Expression accessing a property named \"x-prop\": {\"Expression\": \"object.x__dash__prop - > 0\"} - Expression accessing a property + > 0\"}\n - Expression accessing a property named \"redact__d\": {\"Expression\": \"object.redact__underscores__d - > 0\"} \n Equality on arrays with list type - of 'set' or 'map' ignores element order, - i.e. [1, 2] == [2, 1]. Concatenation on + > 0\"}\n\n\nEquality on arrays with list + type of 'set' or 'map' ignores element order, + i.e. [1, 2] == [2, 1].\nConcatenation on arrays with x-kubernetes-list-type use the - semantics of the list type: - 'set': `X - + Y` performs a union where the array positions - of all elements in `X` are preserved and - non-intersecting elements in `Y` are appended, - retaining their partial order. - 'map': - `X + Y` performs a merge where the array - positions of all keys in `X` are preserved - but the values are overwritten by values - in `Y` when the key sets of `X` and `Y` - intersect. Elements in `Y` with non-intersecting - keys are appended, retaining their partial - order. Required." + semantics of the list type:\n - 'set': + `X + Y` performs a union where the array + positions of all elements in `X` are preserved + and\n non-intersecting elements in `Y` + are appended, retaining their partial order.\n + \ - 'map': `X + Y` performs a merge where + the array positions of all keys in `X` are + preserved but the values\n are overwritten + by values in `Y` when the key sets of `X` + and `Y` intersect. Elements in `Y` with\n + \ non-intersecting keys are appended, + retaining their partial order.\nRequired." type: string message: - description: 'Message represents the message - displayed when validation fails. The message - is required if the Expression contains line - breaks. The message must not contain line - breaks. If unset, the message is "failed - rule: {Rule}". e.g. "must be a URL with - the host matching spec.host" If the Expression - contains line breaks. Message is required. + description: |- + Message represents the message displayed when validation fails. The message is required if the Expression contains + line breaks. The message must not contain line breaks. + If unset, the message is "failed rule: {Rule}". + e.g. "must be a URL with the host matching spec.host" + If the Expression contains line breaks. Message is required. The message must not contain line breaks. - If unset, the message is "failed Expression: - {Expression}".' + If unset, the message is "failed Expression: {Expression}". type: string messageExpression: - description: 'messageExpression declares a - CEL expression that evaluates to the validation - failure message that is returned when this - rule fails. Since messageExpression is used - as a failure message, it must evaluate to - a string. If both message and messageExpression - are present on a validation, then messageExpression - will be used if validation fails. If messageExpression - results in a runtime error, the runtime - error is logged, and the validation failure - message is produced as if the messageExpression - field were unset. If messageExpression evaluates - to an empty string, a string with only spaces, - or a string that contains line breaks, then - the validation failure message will also - be produced as if the messageExpression - field were unset, and the fact that messageExpression - produced an empty string/string with only - spaces/string with line breaks will be logged. - messageExpression has access to all the - same variables as the `expression` except - for ''authorizer'' and ''authorizer.requestResource''. - Example: "object.x must be less than max - ("+string(params.max)+")"' + description: |- + messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails. + Since messageExpression is used as a failure message, it must evaluate to a string. + If both message and messageExpression are present on a validation, then messageExpression will be used if validation fails. + If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced + as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string + that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and + the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged. + messageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'. + Example: + "object.x must be less than max ("+string(params.max)+")" type: string reason: - description: 'Reason represents a machine-readable - description of why this validation failed. - If this is the first validation in the list - to fail, this reason, as well as the corresponding - HTTP response code, are used in the HTTP - response to the client. The currently supported - reasons are: "Unauthorized", "Forbidden", - "Invalid", "RequestEntityTooLarge". If not - set, StatusReasonInvalid is used in the - response to the client.' + description: |- + Reason represents a machine-readable description of why this validation failed. + If this is the first validation in the list to fail, this reason, as well as the + corresponding HTTP response code, are used in the + HTTP response to the client. + The currently supported reasons are: "Unauthorized", "Forbidden", "Invalid", "RequestEntityTooLarge". + If not set, StatusReasonInvalid is used in the response to the client. type: string required: - expression @@ -40634,13 +37091,15 @@ spec: and Version. properties: apiVersion: - description: APIVersion is the API group version - the resources belong to. In format of "group/version". + description: |- + APIVersion is the API group version the resources belong to. + In format of "group/version". Required. type: string kind: - description: Kind is the API kind the resources - belong to. Required. + description: |- + Kind is the API kind the resources belong to. + Required. type: string type: object x-kubernetes-map-type: atomic @@ -40648,82 +37107,83 @@ spec: description: ParamRef references a parameter resource. properties: name: - description: "`name` is the name of the resource - being referenced. \n `name` and `selector` - are mutually exclusive properties. If one - is set, the other must be unset." + description: |- + `name` is the name of the resource being referenced. + + + `name` and `selector` are mutually exclusive properties. If one is set, + the other must be unset. type: string namespace: - description: "namespace is the namespace of - the referenced resource. Allows limiting the - search for params to a specific namespace. - Applies to both `name` and `selector` fields. - \n A per-namespace parameter may be used by - specifying a namespace-scoped `paramKind` - in the policy and leaving this field empty. - \n - If `paramKind` is cluster-scoped, this - field MUST be unset. Setting this field results - in a configuration error. \n - If `paramKind` - is namespace-scoped, the namespace of the - object being evaluated for admission will - be used when this field is left unset. Take - care that if this is left empty the binding - must not match any cluster-scoped resources, - which will result in an error." + description: |- + namespace is the namespace of the referenced resource. Allows limiting + the search for params to a specific namespace. Applies to both `name` and + `selector` fields. + + + A per-namespace parameter may be used by specifying a namespace-scoped + `paramKind` in the policy and leaving this field empty. + + + - If `paramKind` is cluster-scoped, this field MUST be unset. Setting this + field results in a configuration error. + + + - If `paramKind` is namespace-scoped, the namespace of the object being + evaluated for admission will be used when this field is left unset. Take + care that if this is left empty the binding must not match any cluster-scoped + resources, which will result in an error. type: string parameterNotFoundAction: - description: "`parameterNotFoundAction` controls - the behavior of the binding when the resource - exists, and name or selector is valid, but - there are no parameters matched by the binding. - If the value is set to `Allow`, then no matched - parameters will be treated as successful validation - by the binding. If set to `Deny`, then no - matched parameters will be subject to the - `failurePolicy` of the policy. \n Allowed - values are `Allow` or `Deny` Default to `Deny`" + description: |- + `parameterNotFoundAction` controls the behavior of the binding when the resource + exists, and name or selector is valid, but there are no parameters + matched by the binding. If the value is set to `Allow`, then no + matched parameters will be treated as successful validation by the binding. + If set to `Deny`, then no matched parameters will be subject to the + `failurePolicy` of the policy. + + + Allowed values are `Allow` or `Deny` + Default to `Deny` type: string selector: - description: "selector can be used to match - multiple param objects based on their labels. - Supply selector: {} to match all resources - of the ParamKind. \n If multiple params are - found, they are all evaluated with the policy - expressions and the results are ANDed together. - \n One of `name` or `selector` must be set, - but `name` and `selector` are mutually exclusive - properties. If one is set, the other must - be unset." + description: |- + selector can be used to match multiple param objects based on their labels. + Supply selector: {} to match all resources of the ParamKind. + + + If multiple params are found, they are all evaluated with the policy expressions + and the results are ANDed together. + + + One of `name` or `selector` must be set, but `name` and `selector` are + mutually exclusive properties. If one is set, the other must be unset. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -40735,41 +37195,34 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object x-kubernetes-map-type: atomic variables: - description: Variables contain definitions of variables - that can be used in composition of other expressions. + description: |- + Variables contain definitions of variables that can be used in composition of other expressions. Each variable is defined as a named CEL expression. - The variables defined here will be available under - `variables` in other expressions of the policy. + The variables defined here will be available under `variables` in other expressions of the policy. items: description: Variable is the definition of a variable that is used for composition. properties: expression: - description: Expression is the expression - that will be evaluated as the value of the - variable. The CEL expression has access - to the same identifiers as the CEL expressions - in Validation. + description: |- + Expression is the expression that will be evaluated as the value of the variable. + The CEL expression has access to the same identifiers as the CEL expressions in Validation. type: string name: - description: Name is the name of the variable. - The name must be a valid CEL identifier - and unique among all variables. The variable - can be accessed in other expressions through - `variables` For example, if name is "foo", - the variable will be available as `variables.foo` + description: |- + Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables. + The variable can be accessed in other expressions through `variables` + For example, if name is "foo", the variable will be available as `variables.foo` type: string required: - expression @@ -40782,12 +37235,11 @@ spec: fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct list - of conditions (without `any` or `all` statements) - is also supported for backwards compatibility + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility but will be deprecated in the next major release. - See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object foreach: @@ -40802,24 +37254,22 @@ spec: apply the specified logic. properties: anyPattern: - description: AnyPattern specifies list of validation - patterns. At least one of the patterns must - be satisfied for the validation rule to succeed. + description: |- + AnyPattern specifies list of validation patterns. At least one of the patterns + must be satisfied for the validation rule to succeed. x-kubernetes-preserve-unknown-fields: true context: description: Context defines variables and data sources that can be used during rule execution. items: - description: ContextEntry adds variables and - data sources to a rule Context. Either a ConfigMap - reference or a APILookup must be provided. + description: |- + ContextEntry adds variables and data sources to a rule Context. Either a + ConfigMap reference or a APILookup must be provided. properties: apiCall: - description: APICall is an HTTP request - to the Kubernetes API server, or other - JSON web service. The data returned is - stored in the context with the name for - the context entry. + description: |- + APICall is an HTTP request to the Kubernetes API server, or other JSON web service. + The data returned is stored in the context with the name for the context entry. properties: data: description: Data specifies the POST @@ -40842,15 +37292,12 @@ spec: type: object type: array jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the JSON response - returned from the server. For example - a JMESPath of "items | length(@)" - applied to the API server response - for the URLPath "/apis/apps/v1/deployments" - will return the total count of deployments - across all namespaces. + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the JSON response returned from the server. For example + a JMESPath of "items | length(@)" applied to the API server response + for the URLPath "/apis/apps/v1/deployments" will return the total count + of deployments across all namespaces. type: string method: default: GET @@ -40865,25 +37312,23 @@ spec: to a JSON web service properties: caBundle: - description: CABundle is a PEM encoded - CA bundle which will be used to - validate the server certificate. + description: |- + CABundle is a PEM encoded CA bundle which will be used to validate + the server certificate. type: string url: - description: URL is the JSON web - service URL. A typical form is + description: |- + URL is the JSON web service URL. A typical form is `https://{service}.{namespace}:{port}/{path}`. type: string required: - url type: object urlPath: - description: URLPath is the URL path - to be used in the HTTP GET or POST - request to the Kubernetes API server - (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). - The format required is the same format - used by the `kubectl get --raw` command. + description: |- + URLPath is the URL path to be used in the HTTP GET or POST request to the + Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). + The format required is the same format used by the `kubectl get --raw` command. See https://kyverno.io/docs/writing-policies/external-data-sources/#variables-from-kubernetes-api-server-calls for details. type: string @@ -40903,9 +37348,9 @@ spec: - name type: object imageRegistry: - description: ImageRegistry defines requests - to an OCI/Docker V2 registry to fetch - image details. + description: |- + ImageRegistry defines requests to an OCI/Docker V2 registry to fetch image + details. properties: imageRegistryCredentials: description: ImageRegistryCredentials @@ -40917,11 +37362,9 @@ spec: allows insecure access to a registry. type: boolean providers: - description: 'Providers specifies - a list of OCI Registry names, - whose authentication providers - are provided. It can be of one - of these values: default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential @@ -40935,25 +37378,23 @@ spec: type: string type: array secrets: - description: Secrets specifies a - list of secrets that are provided - for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array type: object jmesPath: - description: JMESPath is an optional - JSON Match Expression that can be - used to transform the ImageData struct - returned as a result of processing + description: |- + JMESPath is an optional JSON Match Expression that can be used to + transform the ImageData struct returned as a result of processing the image reference. type: string reference: - description: 'Reference is image reference - to a container image in the registry. - Example: ghcr.io/kyverno/kyverno:latest' + description: |- + Reference is image reference to a container image in the registry. + Example: ghcr.io/kyverno/kyverno:latest type: string required: - reference @@ -40967,15 +37408,14 @@ spec: defined inline. properties: default: - description: Default is an optional - arbitrary JSON object that the variable - may take if the JMESPath expression - evaluates to nil + description: |- + Default is an optional arbitrary JSON object that the variable may take if the JMESPath + expression evaluates to nil x-kubernetes-preserve-unknown-fields: true jmesPath: - description: JMESPath is an optional - JMESPath Expression that can be used - to transform the variable. + description: |- + JMESPath is an optional JMESPath Expression that can be used to + transform the variable. type: string value: description: Value is any arbitrary @@ -40990,48 +37430,44 @@ spec: or fail a validation rule. properties: conditions: - description: 'Multiple conditions can be declared - under an `any` or `all` statement. A direct - list of conditions (without `any` or `all` - statements) is also supported for backwards - compatibility but will be deprecated in - the next major release. See: https://kyverno.io/docs/writing-policies/validate/#deny-rules' + description: |- + Multiple conditions can be declared under an `any` or `all` statement. A direct list + of conditions (without `any` or `all` statements) is also supported for backwards compatibility + but will be deprecated in the next major release. + See: https://kyverno.io/docs/writing-policies/validate/#deny-rules x-kubernetes-preserve-unknown-fields: true type: object elementScope: - description: ElementScope specifies whether to - use the current list element as the scope for - validation. Defaults to "true" if not specified. - When set to "false", "request.object" is used - as the validation scope within the foreach block - to allow referencing other elements in the subtree. + description: |- + ElementScope specifies whether to use the current list element as the scope for validation. Defaults to "true" if not specified. + When set to "false", "request.object" is used as the validation scope within the foreach + block to allow referencing other elements in the subtree. type: boolean foreach: description: Foreach declares a nested foreach iterator x-kubernetes-preserve-unknown-fields: true list: - description: List specifies a JMESPath expression - that results in one or more elements to which - the validation logic is applied. + description: |- + List specifies a JMESPath expression that results in one or more elements + to which the validation logic is applied. type: string pattern: description: Pattern specifies an overlay-style pattern used to check resources. x-kubernetes-preserve-unknown-fields: true preconditions: - description: 'AnyAllConditions are used to determine - if a policy rule should be applied by evaluating - a set of conditions. The declaration can contain - nested `any` or `all` statements. See: https://kyverno.io/docs/writing-policies/preconditions/' + description: |- + AnyAllConditions are used to determine if a policy rule should be applied by evaluating a + set of conditions. The declaration can contain nested `any` or `all` statements. + See: https://kyverno.io/docs/writing-policies/preconditions/ properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, all of the conditions - need to pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -41046,14 +37482,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -41073,20 +37506,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is useful - for finer control of when an rule is applied. - A condition can reference object data using - JMESPath notation. Here, at least one of - the conditions need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -41101,14 +37532,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -41128,10 +37556,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -41154,31 +37581,25 @@ spec: items: properties: count: - description: Count specifies the required - number of entries that must match. If the - count is null, all entries must match (a - logical AND). If the count is 1, at least - one entry must match (a logical OR). If - the count contains a value N, then N must - be less than or equal to the size of entries, - and at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or - a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set @@ -41199,21 +37620,14 @@ spec: used to verify. type: string ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -41221,36 +37635,25 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -41261,9 +37664,9 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless - attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: additionalProperties: @@ -41273,21 +37676,14 @@ spec: for keyless signing. type: object ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -41295,15 +37691,10 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -41311,24 +37702,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -41338,10 +37723,9 @@ spec: type: string type: object roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, - the system roots are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -41354,21 +37738,14 @@ spec: public keys. properties: ctlog: - description: CTLog (certificate - timestamp log) provides a configuration - for validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior - by Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp (SCT) - log to check for a certificate - timestamp. Default is false. - Set to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, @@ -41376,63 +37753,41 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 - timestamp authority. Must - contain the root CA certificate. - Optionally may contain intermediate - CA certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI - to the public key stored in a - Key Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable - reference to a key specified in - a ConfigMap (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log - service. If an empty object is - provided the public instance of - Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is - an optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used - to validate transparency log - signatures from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -41468,12 +37823,9 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository - will override other OCI image repository - locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -41514,10 +37866,9 @@ spec: type: object type: array repository: - description: Repository is an optional alternate - OCI repository to use for resource bundle reference. - The repository can be overridden per Attestor - or Attestation. + description: |- + Repository is an optional alternate OCI repository to use for resource bundle reference. + The repository can be overridden per Attestor or Attestation. type: string type: object message: @@ -41529,9 +37880,9 @@ spec: used to check resources. x-kubernetes-preserve-unknown-fields: true podSecurity: - description: PodSecurity applies exemptions for Kubernetes - Pod Security admission by specifying exclusions for - Pod Security Standards controls. + description: |- + PodSecurity applies exemptions for Kubernetes Pod Security admission + by specifying exclusions for Pod Security Standards controls. properties: exclude: description: Exclude specifies the Pod Security @@ -41541,9 +37892,9 @@ spec: Pod Security Standard controls to be excluded. properties: controlName: - description: 'ControlName specifies the name - of the Pod Security Standard control. See: - https://kubernetes.io/docs/concepts/security/pod-security-standards/' + description: |- + ControlName specifies the name of the Pod Security Standard control. + See: https://kubernetes.io/docs/concepts/security/pod-security-standards/ enum: - HostProcess - Host Namespaces @@ -41562,14 +37913,11 @@ spec: - Running as Non-root user type: string images: - description: 'Images selects matching containers - and applies the container level PSS. Each - image is the image name consisting of the - registry address, repository, image, and - tag. Empty list matches no containers, PSS - checks are applied at the pod level only. - Wildcards (''*'' and ''?'') are allowed. - See: https://kubernetes.io/docs/concepts/containers/images.' + description: |- + Images selects matching containers and applies the container level PSS. + Each image is the image name consisting of the registry address, repository, image, and tag. + Empty list matches no containers, PSS checks are applied at the pod level only. + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -41578,19 +37926,18 @@ spec: type: object type: array level: - description: Level defines the Pod Security Standard - level to be applied to workloads. Allowed values - are privileged, baseline, and restricted. + description: |- + Level defines the Pod Security Standard level to be applied to workloads. + Allowed values are privileged, baseline, and restricted. enum: - privileged - baseline - restricted type: string version: - description: Version defines the Pod Security Standard - versions that Kubernetes supports. Allowed values - are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, - v1.25, v1.26, latest. Defaults to latest. + description: |- + Version defines the Pod Security Standard versions that Kubernetes supports. + Allowed values are v1.19, v1.20, v1.21, v1.22, v1.23, v1.24, v1.25, v1.26, latest. Defaults to latest. enum: - v1.19 - v1.20 @@ -41608,10 +37955,10 @@ spec: description: VerifyImages is used to verify image signatures and mutate them to add a digest items: - description: ImageVerification validates that images that - match the specified pattern are signed with the supplied - public key. Once the image is verified it is mutated - to include the SHA digest retrieved during the registration. + description: |- + ImageVerification validates that images that match the specified pattern + are signed with the supplied public key. Once the image is verified it is + mutated to include the SHA digest retrieved during the registration. properties: additionalExtensions: additionalProperties: @@ -41625,17 +37972,15 @@ spec: instead. type: object attestations: - description: Attestations are optional checks for - signed in-toto Statements used to verify the image. - See https://github.com/in-toto/attestation. Kyverno - fetches signed attestations from the OCI registry - and decodes them into a list of Statement declarations. + description: |- + Attestations are optional checks for signed in-toto Statements used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statement declarations. items: - description: Attestation are checks for signed in-toto - Statements that are used to verify the image. - See https://github.com/in-toto/attestation. Kyverno - fetches signed attestations from the OCI registry - and decodes them into a list of Statements. + description: |- + Attestation are checks for signed in-toto Statements that are used to verify the image. + See https://github.com/in-toto/attestation. Kyverno fetches signed attestations from the + OCI registry and decodes them into a list of Statements. properties: attestors: description: Attestors specify the required @@ -41643,33 +37988,25 @@ spec: items: properties: count: - description: Count specifies the required - number of entries that must match. If - the count is null, all entries must - match (a logical AND). If the count - is 1, at least one entry must match - (a logical OR). If the count contains - a value N, then N must be less than - or equal to the size of entries, and - at least N entries must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static - key, attributes for keyless verification, - or a nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used - for image verification. Every - specified key-value pair must - exist and match in the verified - payload. The payload may contain - other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested @@ -41690,23 +38027,14 @@ spec: certificates used to verify. type: string ctlog: - description: CTLog (certificate - timestamp log) provides a - configuration for validation - of Signed Certificate Timestamps - (SCTs). If the value is unset, - the default behavior by Cosign - is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp - (SCT) log to check for - a certificate timestamp. - Default is false. Set - to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if @@ -41715,27 +38043,16 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, - if set, is the PEM-encoded - certificate chain file - for the RFC3161 timestamp - authority. Must contain - the root CA certificate. - Optionally may contain - intermediate CA certificates, - and may contain the leaf - TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If an empty object is provided - the public instance of Rekor - (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog @@ -41743,13 +38060,9 @@ spec: verification. type: boolean pubkey: - description: RekorPubKey - is an optional PEM-encoded - public key to use for - a custom Rekor. If set, - this will be used to validate - transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the @@ -41760,9 +38073,9 @@ spec: type: object type: object keyless: - description: Keyless is a set of - attribute used to verify a Sigstore - keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. + See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: additionalProperties: @@ -41772,23 +38085,14 @@ spec: used for keyless signing. type: object ctlog: - description: CTLog (certificate - timestamp log) provides a - configuration for validation - of Signed Certificate Timestamps - (SCTs). If the value is unset, - the default behavior by Cosign - is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp - (SCT) log to check for - a certificate timestamp. - Default is false. Set - to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if @@ -41797,17 +38101,10 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, - if set, is the PEM-encoded - certificate chain file - for the RFC3161 timestamp - authority. Must contain - the root CA certificate. - Optionally may contain - intermediate CA certificates, - and may contain the leaf - TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -41815,13 +38112,9 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If an empty object is provided - the public instance of Rekor - (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog @@ -41829,13 +38122,9 @@ spec: verification. type: boolean pubkey: - description: RekorPubKey - is an optional PEM-encoded - public key to use for - a custom Rekor. If set, - this will be used to validate - transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the @@ -41845,11 +38134,9 @@ spec: type: string type: object roots: - description: Roots is an optional - set of PEM encoded trusted - root certificates. If not - provided, the system roots - are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the @@ -41863,23 +38150,14 @@ spec: or more public keys. properties: ctlog: - description: CTLog (certificate - timestamp log) provides a - configuration for validation - of Signed Certificate Timestamps - (SCTs). If the value is unset, - the default behavior by Cosign - is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed - Certificate Timestamp - (SCT) log to check for - a certificate timestamp. - Default is false. Set - to true if this was opted - out during signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if @@ -41888,56 +38166,32 @@ spec: source. type: string tsaCertChain: - description: TSACertChain, - if set, is the PEM-encoded - certificate chain file - for the RFC3161 timestamp - authority. Must contain - the root CA certificate. - Optionally may contain - intermediate CA certificates, - and may contain the leaf - TSA certificate if not - present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the - URI to the public key stored - in a Key Management System. - See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of - X.509 public keys used to - verify image signatures. The - keys can be directly specified - or can be a variable reference - to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format - "k8s:///". - The named Secret must specify - a key `cosign.pub` containing - the public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a - separate staticKey entry (.attestors[*].entries.keys) - within the set of attestors - and the count is applied across - the keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides - configuration for the Rekor - transparency log service. - If an empty object is provided - the public instance of Rekor - (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog @@ -41945,13 +38199,9 @@ spec: verification. type: boolean pubkey: - description: RekorPubKey - is an optional PEM-encoded - public key to use for - a custom Rekor. If set, - this will be used to validate - transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the @@ -41988,40 +38238,30 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use - for signatures and attestations - that match this rule. If specified - Repository will override other - OCI image repository locations - for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array type: object type: array conditions: - description: Conditions are used to verify attributes - within a Predicate. If no Conditions are specified - the attestation check is satisfied as long - there are predicates that match the predicate - type. + description: |- + Conditions are used to verify attributes within a Predicate. If no Conditions are specified + the attestation check is satisfied as long there are predicates that match the predicate type. items: - description: AnyAllConditions consists of - conditions wrapped denoting a logical criteria - to be fulfilled. AnyConditions get fulfilled - when at least one of its sub-conditions - passes. AllConditions get fulfilled only - when all of its sub-conditions pass. + description: |- + AnyAllConditions consists of conditions wrapped denoting a logical criteria to be fulfilled. + AnyConditions get fulfilled when at least one of its sub-conditions passes. + AllConditions get fulfilled only when all of its sub-conditions pass. properties: all: - description: AllConditions enable variable-based - conditional rule execution. This is - useful for finer control of when an - rule is applied. A condition can reference - object data using JMESPath notation. - Here, all of the conditions need to - pass + description: |- + AllConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, all of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -42036,14 +38276,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -42063,21 +38300,18 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array any: - description: AnyConditions enable variable-based - conditional rule execution. This is - useful for finer control of when an - rule is applied. A condition can reference - object data using JMESPath notation. - Here, at least one of the conditions - need to pass + description: |- + AnyConditions enable variable-based conditional rule execution. This is useful for + finer control of when an rule is applied. A condition can reference object data + using JMESPath notation. + Here, at least one of the conditions need to pass items: description: Condition defines variable-based conditional criteria for rule execution. @@ -42092,14 +38326,11 @@ spec: display message type: string operator: - description: 'Operator is the conditional - operation to perform. Valid operators - are: Equals, NotEquals, In, AnyIn, - AllIn, NotIn, AnyNotIn, AllNotIn, - GreaterThanOrEquals, GreaterThan, - LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, - DurationGreaterThan, DurationLessThanOrEquals, - DurationLessThan' + description: |- + Operator is the conditional operation to perform. Valid operators are: + Equals, NotEquals, In, AnyIn, AllIn, NotIn, AnyNotIn, AllNotIn, GreaterThanOrEquals, + GreaterThan, LessThanOrEquals, LessThan, DurationGreaterThanOrEquals, DurationGreaterThan, + DurationLessThanOrEquals, DurationLessThan enum: - Equals - NotEquals @@ -42119,10 +38350,9 @@ spec: - DurationLessThan type: string value: - description: Value is the conditional - value, or set of values. The values - can be fixed set or can be variables - declared using JMESPath. + description: |- + Value is the conditional value, or set of values. The values can be fixed set + or can be variables declared using JMESPath. x-kubernetes-preserve-unknown-fields: true type: object type: array @@ -42144,31 +38374,25 @@ spec: items: properties: count: - description: Count specifies the required number - of entries that must match. If the count is - null, all entries must match (a logical AND). - If the count is 1, at least one entry must - match (a logical OR). If the count contains - a value N, then N must be less than or equal - to the size of entries, and at least N entries - must match. + description: |- + Count specifies the required number of entries that must match. If the count is null, all entries must match + (a logical AND). If the count is 1, at least one entry must match (a logical OR). If the count contains a + value N, then N must be less than or equal to the size of entries, and at least N entries must match. minimum: 1 type: integer entries: - description: Entries contains the available - attestors. An attestor can be a static key, - attributes for keyless verification, or a - nested attestor declaration. + description: |- + Entries contains the available attestors. An attestor can be a static key, + attributes for keyless verification, or a nested attestor declaration. items: properties: annotations: additionalProperties: type: string - description: Annotations are used for - image verification. Every specified - key-value pair must exist and match - in the verified payload. The payload - may contain other key-value pairs. + description: |- + Annotations are used for image verification. + Every specified key-value pair must exist and match in the verified payload. + The payload may contain other key-value pairs. type: object attestor: description: Attestor is a nested set @@ -42189,21 +38413,14 @@ spec: used to verify. type: string ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior by - Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed Certificate - Timestamp (SCT) log to check - for a certificate timestamp. - Default is false. Set to true - if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -42211,35 +38428,25 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the - root CA certificate. Optionally - may contain intermediate CA - certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an - optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used to - validate transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -42250,8 +38457,8 @@ spec: type: object type: object keyless: - description: Keyless is a set of attribute - used to verify a Sigstore keyless attestor. + description: |- + Keyless is a set of attribute used to verify a Sigstore keyless attestor. See https://github.com/sigstore/cosign/blob/main/KEYLESS.md. properties: additionalExtensions: @@ -42262,21 +38469,14 @@ spec: for keyless signing. type: object ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior by - Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed Certificate - Timestamp (SCT) log to check - for a certificate timestamp. - Default is false. Set to true - if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -42284,15 +38484,10 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the - root CA certificate. Optionally - may contain intermediate CA - certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object issuer: @@ -42300,23 +38495,18 @@ spec: issuer used for keyless signing. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an - optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used to - validate transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -42326,10 +38516,9 @@ spec: type: string type: object roots: - description: Roots is an optional - set of PEM encoded trusted root - certificates. If not provided, the - system roots are used. + description: |- + Roots is an optional set of PEM encoded trusted root certificates. + If not provided, the system roots are used. type: string subject: description: Subject is the verified @@ -42342,21 +38531,14 @@ spec: public keys. properties: ctlog: - description: CTLog (certificate timestamp - log) provides a configuration for - validation of Signed Certificate - Timestamps (SCTs). If the value - is unset, the default behavior by - Cosign is used. + description: |- + CTLog (certificate timestamp log) provides a configuration for validation of Signed Certificate + Timestamps (SCTs). If the value is unset, the default behavior by Cosign is used. properties: ignoreSCT: - description: IgnoreSCT defines - whether to use the Signed Certificate - Timestamp (SCT) log to check - for a certificate timestamp. - Default is false. Set to true - if this was opted out during - signing. + description: |- + IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate + timestamp. Default is false. Set to true if this was opted out during signing. type: boolean pubkey: description: PubKey, if set, is @@ -42364,61 +38546,41 @@ spec: a custom source. type: string tsaCertChain: - description: TSACertChain, if - set, is the PEM-encoded certificate - chain file for the RFC3161 timestamp - authority. Must contain the - root CA certificate. Optionally - may contain intermediate CA - certificates, and may contain - the leaf TSA certificate if - not present in the timestamurce. + description: |- + TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must + contain the root CA certificate. Optionally may contain intermediate CA certificates, and + may contain the leaf TSA certificate if not present in the timestamurce. type: string type: object kms: - description: 'KMS provides the URI - to the public key stored in a Key - Management System. See: https://github.com/sigstore/cosign/blob/main/KMS.md' + description: |- + KMS provides the URI to the public key stored in a Key Management System. See: + https://github.com/sigstore/cosign/blob/main/KMS.md type: string publicKeys: - description: Keys is a set of X.509 - public keys used to verify image - signatures. The keys can be directly - specified or can be a variable reference - to a key specified in a ConfigMap - (see https://kyverno.io/docs/writing-policies/variables/), - or reference a standard Kubernetes - Secret elsewhere in the cluster - by specifying it in the format "k8s:///". - The named Secret must specify a - key `cosign.pub` containing the - public key used for verification, - (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). - When multiple keys are specified - each key is processed as a separate - staticKey entry (.attestors[*].entries.keys) - within the set of attestors and - the count is applied across the - keys. + description: |- + Keys is a set of X.509 public keys used to verify image signatures. The keys can be directly + specified or can be a variable reference to a key specified in a ConfigMap (see + https://kyverno.io/docs/writing-policies/variables/), or reference a standard Kubernetes Secret + elsewhere in the cluster by specifying it in the format "k8s:///". + The named Secret must specify a key `cosign.pub` containing the public key used for + verification, (see https://github.com/sigstore/cosign/blob/main/KMS.md#kubernetes-secret). + When multiple keys are specified each key is processed as a separate staticKey entry + (.attestors[*].entries.keys) within the set of attestors and the count is applied across the keys. type: string rekor: - description: Rekor provides configuration - for the Rekor transparency log service. - If an empty object is provided the - public instance of Rekor (https://rekor.sigstore.dev) - is used. + description: |- + Rekor provides configuration for the Rekor transparency log service. If an empty object + is provided the public instance of Rekor (https://rekor.sigstore.dev) is used. properties: ignoreTlog: description: IgnoreTlog skips transparency log verification. type: boolean pubkey: - description: RekorPubKey is an - optional PEM-encoded public - key to use for a custom Rekor. - If set, this will be used to - validate transparency log signatures - from a custom Rekor. + description: |- + RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor. + If set, this will be used to validate transparency log signatures from a custom Rekor. type: string url: description: URL is the address @@ -42453,12 +38615,9 @@ spec: type: string type: object repository: - description: Repository is an optional - alternate OCI repository to use for - signatures and attestations that match - this rule. If specified Repository will - override other OCI image repository - locations for this Attestor. + description: |- + Repository is an optional alternate OCI repository to use for signatures and attestations that match this rule. + If specified Repository will override other OCI image repository locations for this Attestor. type: string type: object type: array @@ -42468,13 +38627,11 @@ spec: description: Deprecated. Use ImageReferences instead. type: string imageReferences: - description: 'ImageReferences is a list of matching - image reference patterns. At least one pattern in - the list must match the image for the rule to apply. - Each image reference consists of a registry address - (defaults to docker.io), repository, image, and - tag (defaults to latest). Wildcards (''*'' and ''?'') - are allowed. See: https://kubernetes.io/docs/concepts/containers/images.' + description: |- + ImageReferences is a list of matching image reference patterns. At least one pattern in the + list must match the image for the rule to apply. Each image reference consists of a registry + address (defaults to docker.io), repository, image, and tag (defaults to latest). + Wildcards ('*' and '?') are allowed. See: https://kubernetes.io/docs/concepts/containers/images. items: type: string type: array @@ -42487,10 +38644,9 @@ spec: access to a registry. type: boolean providers: - description: 'Providers specifies a list of OCI - Registry names, whose authentication providers - are provided. It can be of one of these values: - default,google,azure,amazon,github.' + description: |- + Providers specifies a list of OCI Registry names, whose authentication providers are provided. + It can be of one of these values: default,google,azure,amazon,github. items: description: ImageRegistryCredentialsProvidersType provides the list of credential providers @@ -42504,9 +38660,9 @@ spec: type: string type: array secrets: - description: Secrets specifies a list of secrets - that are provided for credentials. Secrets must - live in the Kyverno namespace. + description: |- + Secrets specifies a list of secrets that are provided for credentials. + Secrets must live in the Kyverno namespace. items: type: string type: array @@ -42519,16 +38675,15 @@ spec: type: string mutateDigest: default: true - description: MutateDigest enables replacement of image - tags with digests. Defaults to true. + description: |- + MutateDigest enables replacement of image tags with digests. + Defaults to true. type: boolean repository: - description: Repository is an optional alternate OCI - repository to use for image signatures and attestations - that match this rule. If specified Repository will - override the default OCI image repository configured - for the installation. The repository can also be - overridden per Attestor or Attestation. + description: |- + Repository is an optional alternate OCI repository to use for image signatures and attestations that match this rule. + If specified Repository will override the default OCI image repository configured for the installation. + The repository can also be overridden per Attestor or Attestation. type: string required: default: true @@ -42543,9 +38698,9 @@ spec: description: Deprecated. Use KeylessAttestor instead. type: string type: - description: Type specifies the method of signature - validation. The allowed options are Cosign and Notary. - By default Cosign is used if a type is not specified. + description: |- + Type specifies the method of signature validation. The allowed options + are Cosign and Notary. By default Cosign is used if a type is not specified. enum: - Cosign - Notary @@ -42570,42 +38725,42 @@ spec: conditions: items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -42619,11 +38774,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string @@ -42639,8 +38795,9 @@ spec: description: Deprecated in favor of Conditions type: boolean rulecount: - description: RuleCountStatus contains four variables which describes - counts for validate, generate, mutate and verify images rules + description: |- + RuleCountStatus contains four variables which describes counts for + validate, generate, mutate and verify images rules properties: generate: description: Count for generate rules in policy @@ -42668,10 +38825,9 @@ spec: policy is generated from the policy or not type: boolean message: - description: Message is a human readable message indicating details - about the generation of validating admission policy It is an - empty string when validating admission policy is successfully - generated. + description: |- + Message is a human readable message indicating details about the generation of validating admission policy + It is an empty string when validating admission policy is successfully generated. type: string required: - generated @@ -42699,7 +38855,7 @@ metadata: app.kubernetes.io/version: 3.1.4 helm.sh/chart: crds-3.1.4 annotations: - controller-gen.kubebuilder.io/version: v0.12.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: policyexceptions.kyverno.io spec: group: kyverno.io @@ -42722,14 +38878,19 @@ spec: policies. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -42737,11 +38898,10 @@ spec: description: Spec declares policy exception behaviors. properties: background: - description: Background controls if exceptions are applied to existing - policies during a background scan. Optional. Default value is "true". - The value must be set to "false" if the policy rule uses variables - that are only available in the admission review request (e.g. user - name). + description: |- + Background controls if exceptions are applied to existing policies during a background scan. + Optional. Default value is "true". The value must be set to "false" if the policy rule + uses variables that are only available in the admission review request (e.g. user name). type: boolean exceptions: description: Exceptions is a list policy/rules to be excluded @@ -42749,9 +38909,10 @@ spec: description: Exception stores infos about a policy and rules properties: policyName: - description: PolicyName identifies the policy to which the exception - is applied. The policy name uses the format / - unless it references a ClusterPolicy. + description: |- + PolicyName identifies the policy to which the exception is applied. + The policy name uses the format / unless it + references a ClusterPolicy. type: string ruleNames: description: RuleNames identifies the rules to which the exception @@ -42787,11 +38948,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -42799,52 +38959,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -42856,19 +39013,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -42888,38 +39043,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -42931,12 +39083,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -42951,32 +39101,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -43005,11 +39151,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -43017,52 +39162,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -43074,19 +39216,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -43106,38 +39246,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -43149,12 +39286,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -43169,32 +39304,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -43221,14 +39352,19 @@ spec: policies. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -43236,11 +39372,10 @@ spec: description: Spec declares policy exception behaviors. properties: background: - description: Background controls if exceptions are applied to existing - policies during a background scan. Optional. Default value is "true". - The value must be set to "false" if the policy rule uses variables - that are only available in the admission review request (e.g. user - name). + description: |- + Background controls if exceptions are applied to existing policies during a background scan. + Optional. Default value is "true". The value must be set to "false" if the policy rule + uses variables that are only available in the admission review request (e.g. user name). type: boolean exceptions: description: Exceptions is a list policy/rules to be excluded @@ -43248,9 +39383,10 @@ spec: description: Exception stores infos about a policy and rules properties: policyName: - description: PolicyName identifies the policy to which the exception - is applied. The policy name uses the format / - unless it references a ClusterPolicy. + description: |- + PolicyName identifies the policy to which the exception is applied. + The policy name uses the format / unless it + references a ClusterPolicy. type: string ruleNames: description: RuleNames identifies the rules to which the exception @@ -43286,11 +39422,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -43298,52 +39433,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -43355,19 +39487,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -43387,38 +39517,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -43430,12 +39557,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -43450,32 +39575,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -43504,11 +39625,10 @@ spec: annotations: additionalProperties: type: string - description: Annotations is a map of annotations (key-value - pairs of type string). Annotation keys and values - support the wildcard characters "*" (matches zero - or many characters) and "?" (matches at least one - character). + description: |- + Annotations is a map of annotations (key-value pairs of type string). Annotation keys + and values support the wildcard characters "*" (matches zero or many characters) and + "?" (matches at least one character). type: object kinds: description: Kinds is a list of resource kinds. @@ -43516,52 +39636,49 @@ spec: type: string type: array name: - description: 'Name is the name of the resource. The - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). - NOTE: "Name" is being deprecated in favor of "Names".' + description: |- + Name is the name of the resource. The name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). + NOTE: "Name" is being deprecated in favor of "Names". type: string names: - description: Names are the names of the resources. Each - name supports wildcard characters "*" (matches zero - or many characters) and "?" (at least one character). + description: |- + Names are the names of the resources. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array namespaceSelector: - description: 'NamespaceSelector is a label selector - for the resource namespace. Label keys and values - in `matchLabels` support the wildcard characters `*` - (matches zero or many characters) and `?` (matches - one character).Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + NamespaceSelector is a label selector for the resource namespace. Label keys and values + in `matchLabels` support the wildcard characters `*` (matches zero or many characters) + and `?` (matches one character).Wildcards allows writing label selectors like + ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but + does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -43573,19 +39690,17 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic namespaces: - description: Namespaces is a list of namespaces names. - Each name supports wildcard characters "*" (matches - zero or many characters) and "?" (at least one character). + description: |- + Namespaces is a list of namespaces names. Each name supports wildcard characters + "*" (matches zero or many characters) and "?" (at least one character). items: type: string type: array @@ -43605,38 +39720,35 @@ spec: type: string type: array selector: - description: 'Selector is a label selector. Label keys - and values in `matchLabels` support the wildcard characters - `*` (matches zero or many characters) and `?` (matches - one character). Wildcards allows writing label selectors - like ["storage.k8s.io/*": "*"]. Note that using ["*" - : "*"] matches any key and value but does not match - an empty label set.' + description: |- + Selector is a label selector. Label keys and values in `matchLabels` support the wildcard + characters `*` (matches zero or many characters) and `?` (matches one character). + Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that + using ["*" : "*"] matches any key and value but does not match an empty label set. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a - selector that contains values, a key, and an - operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are - In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If the - operator is Exists or DoesNotExist, the - values array must be empty. This array is - replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -43648,12 +39760,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". The - requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -43668,32 +39778,28 @@ spec: description: Subjects is the list of subject names like users, user groups, and service accounts. items: - description: Subject contains a reference to the object - or user identities a role binding applies to. This - can either hold a direct API object reference, or a - value for non-objects such as user and group names. + description: |- + Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, + or a value for non-objects such as user and group names. properties: apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User - and Group subjects. + description: |- + APIGroup holds the API group of the referenced subject. + Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and Group subjects. type: string kind: - description: Kind of object being referenced. Values - defined by this API group are "User", "Group", and - "ServiceAccount". If the Authorizer does not recognized - the kind value, the Authorizer should report an - error. + description: |- + Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, the Authorizer should report an error. type: string name: description: Name of the object being referenced. type: string namespace: - description: Namespace of the referenced object. If - the object kind is non-namespace, such as "User" - or "Group", and this value is not empty the Authorizer - should report an error. + description: |- + Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty + the Authorizer should report an error. type: string required: - kind @@ -43725,7 +39831,7 @@ metadata: app.kubernetes.io/version: 3.1.4 helm.sh/chart: crds-3.1.4 annotations: - controller-gen.kubebuilder.io/version: v0.12.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: updaterequests.kyverno.io spec: group: kyverno.io @@ -43769,14 +39875,19 @@ spec: in background. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -43795,9 +39906,9 @@ spec: for the admission request. properties: dryRun: - description: DryRun indicates that modifications will - definitely not be persisted for this request. Defaults - to false. + description: |- + DryRun indicates that modifications will definitely not be persisted for this request. + Defaults to false. type: boolean kind: description: Kind is the fully-qualified type of object @@ -43815,10 +39926,9 @@ spec: - version type: object name: - description: Name is the name of the object as presented - in the request. On a CREATE operation, the client may - omit name and rely on the server to generate the name. If - that is the case, this field will contain an empty string. + description: |- + Name is the name of the object as presented in the request. On a CREATE operation, the client may omit name and + rely on the server to generate the name. If that is the case, this field will contain an empty string. type: string namespace: description: Namespace is the namespace associated with @@ -43834,38 +39944,33 @@ spec: type: object x-kubernetes-preserve-unknown-fields: true operation: - description: Operation is the operation being performed. - This may be different than the operation requested. - e.g. a patch can result in either a CREATE or UPDATE - Operation. + description: |- + Operation is the operation being performed. This may be different than the operation + requested. e.g. a patch can result in either a CREATE or UPDATE Operation. type: string options: - description: Options is the operation option structure - of the operation being performed. e.g. `meta.k8s.io/v1.DeleteOptions` - or `meta.k8s.io/v1.CreateOptions`. This may be different - than the options the caller provided. e.g. for a patch - request the performed Operation might be a CREATE, in - which case the Options will a `meta.k8s.io/v1.CreateOptions` - even though the caller provided `meta.k8s.io/v1.PatchOptions`. + description: |- + Options is the operation option structure of the operation being performed. + e.g. `meta.k8s.io/v1.DeleteOptions` or `meta.k8s.io/v1.CreateOptions`. This may be + different than the options the caller provided. e.g. for a patch request the performed + Operation might be a CREATE, in which case the Options will a + `meta.k8s.io/v1.CreateOptions` even though the caller provided `meta.k8s.io/v1.PatchOptions`. type: object x-kubernetes-preserve-unknown-fields: true requestKind: - description: "RequestKind is the fully-qualified type - of the original API request (for example, v1.Pod or - autoscaling.v1.Scale). If this is specified and differs - from the value in \"kind\", an equivalent match and - conversion was performed. \n For example, if deployments - can be modified via apps/v1 and apps/v1beta1, and a - webhook registered a rule of `apiGroups:[\"apps\"], - apiVersions:[\"v1\"], resources: [\"deployments\"]` - and `matchPolicy: Equivalent`, an API request to apps/v1beta1 - deployments would be converted and sent to the webhook - with `kind: {group:\"apps\", version:\"v1\", kind:\"Deployment\"}` - (matching the rule the webhook registered for), and - `requestKind: {group:\"apps\", version:\"v1beta1\", - kind:\"Deployment\"}` (indicating the kind of the original - API request). \n See documentation for the \"matchPolicy\" - field in the webhook configuration type for more details." + description: |- + RequestKind is the fully-qualified type of the original API request (for example, v1.Pod or autoscaling.v1.Scale). + If this is specified and differs from the value in "kind", an equivalent match and conversion was performed. + + + For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of + `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]` and `matchPolicy: Equivalent`, + an API request to apps/v1beta1 deployments would be converted and sent to the webhook + with `kind: {group:"apps", version:"v1", kind:"Deployment"}` (matching the rule the webhook registered for), + and `requestKind: {group:"apps", version:"v1beta1", kind:"Deployment"}` (indicating the kind of the original API request). + + + See documentation for the "matchPolicy" field in the webhook configuration type for more details. properties: group: type: string @@ -43879,22 +39984,19 @@ spec: - version type: object requestResource: - description: "RequestResource is the fully-qualified resource - of the original API request (for example, v1.pods). - If this is specified and differs from the value in \"resource\", - an equivalent match and conversion was performed. \n - For example, if deployments can be modified via apps/v1 - and apps/v1beta1, and a webhook registered a rule of - `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: - [\"deployments\"]` and `matchPolicy: Equivalent`, an - API request to apps/v1beta1 deployments would be converted - and sent to the webhook with `resource: {group:\"apps\", - version:\"v1\", resource:\"deployments\"}` (matching - the resource the webhook registered for), and `requestResource: - {group:\"apps\", version:\"v1beta1\", resource:\"deployments\"}` - (indicating the resource of the original API request). - \n See documentation for the \"matchPolicy\" field in - the webhook configuration type." + description: |- + RequestResource is the fully-qualified resource of the original API request (for example, v1.pods). + If this is specified and differs from the value in "resource", an equivalent match and conversion was performed. + + + For example, if deployments can be modified via apps/v1 and apps/v1beta1, and a webhook registered a rule of + `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]` and `matchPolicy: Equivalent`, + an API request to apps/v1beta1 deployments would be converted and sent to the webhook + with `resource: {group:"apps", version:"v1", resource:"deployments"}` (matching the resource the webhook registered for), + and `requestResource: {group:"apps", version:"v1beta1", resource:"deployments"}` (indicating the resource of the original API request). + + + See documentation for the "matchPolicy" field in the webhook configuration type. properties: group: type: string @@ -43908,12 +40010,10 @@ spec: - version type: object requestSubResource: - description: RequestSubResource is the name of the subresource - of the original API request, if any (for example, "status" - or "scale") If this is specified and differs from the - value in "subResource", an equivalent match and conversion - was performed. See documentation for the "matchPolicy" - field in the webhook configuration type. + description: |- + RequestSubResource is the name of the subresource of the original API request, if any (for example, "status" or "scale") + If this is specified and differs from the value in "subResource", an equivalent match and conversion was performed. + See documentation for the "matchPolicy" field in the webhook configuration type. type: string resource: description: Resource is the fully-qualified resource @@ -43935,14 +40035,11 @@ spec: if any (for example, "status" or "scale") type: string uid: - description: UID is an identifier for the individual request/response. - It allows us to distinguish instances of requests which - are otherwise identical (parallel requests, requests - when earlier requests did not modify etc) The UID is - meant to track the round trip (request/response) between - the KAS and the WebHook, not the user request. It is - suitable for correlating log entries between the webhook - and apiserver, for either auditing or debugging. + description: |- + UID is an identifier for the individual request/response. It allows us to distinguish instances of requests which are + otherwise identical (parallel requests, requests when earlier requests did not modify etc) + The UID is meant to track the round trip (request/response) between the KAS and the WebHook, not the user request. + It is suitable for correlating log entries between the webhook and apiserver, for either auditing or debugging. type: string userInfo: description: UserInfo is information about the requesting @@ -43965,10 +40062,10 @@ spec: type: string type: array uid: - description: A unique value that identifies this user - across time. If this user is deleted and another - user by the same name is added, they will have different - UIDs. + description: |- + A unique value that identifies this user across time. If this user is + deleted and another user by the same name is added, they will have + different UIDs. type: string username: description: The name that uniquely identifies this @@ -44024,10 +40121,10 @@ spec: type: string type: array uid: - description: A unique value that identifies this user - across time. If this user is deleted and another user - by the same name is added, they will have different - UIDs. + description: |- + A unique value that identifies this user across time. If this user is + deleted and another user by the same name is added, they will have + different UIDs. type: string username: description: The name that uniquely identifies this user @@ -44073,8 +40170,9 @@ spec: description: Rule is the associate rule name of the current UR. type: string synchronize: - description: Synchronize represents the sync behavior of the corresponding - rule Optional. Defaults to "false" if not specified. + description: |- + Synchronize represents the sync behavior of the corresponding rule + Optional. Defaults to "false" if not specified. type: boolean required: - context @@ -44087,8 +40185,9 @@ spec: description: Status contains statistics related to update request. properties: generatedResources: - description: This will track the resources that are updated by the - generate Policy. Will be used during clean up resources. + description: |- + This will track the resources that are updated by the generate Policy. + Will be used during clean up resources. items: properties: apiVersion: @@ -44139,7 +40238,7 @@ metadata: app.kubernetes.io/version: 3.1.4 helm.sh/chart: crds-3.1.4 annotations: - controller-gen.kubebuilder.io/version: v0.12.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: clusterpolicyreports.wgpolicyk8s.io spec: group: wgpolicyk8s.io @@ -44184,14 +40283,19 @@ spec: API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -44218,35 +40322,35 @@ spec: policy rule type: object resourceSelector: - description: SubjectSelector is an optional label selector for checked - Kubernetes resources. For example, a policy result may apply to - all pods that match a label. Either a Subject or a SubjectSelector - can be specified. If neither are provided, the result is assumed - to be for the policy report scope. + description: |- + SubjectSelector is an optional label selector for checked Kubernetes resources. + For example, a policy result may apply to all pods that match a label. + Either a Subject or a SubjectSelector can be specified. + If neither are provided, the result is assumed to be for the policy report scope. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that - contains values, a key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the - operator is In or NotIn, the values array must be non-empty. - If the operator is Exists or DoesNotExist, the values - array must be empty. This array is replaced during a - strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -44258,11 +40362,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -44270,63 +40373,63 @@ spec: description: Subjects is an optional reference to the checked Kubernetes resources items: - description: "ObjectReference contains enough information to let - you inspect or modify the referred object. --- New uses of this - type are discouraged because of difficulty describing its usage - when embedded in APIs. 1. Ignored fields. It includes many - fields which are not generally honored. For instance, ResourceVersion - and FieldPath are both very rarely valid in actual usage. 2. - Invalid usage help. It is impossible to add specific help for - individual usage. In most embedded usages, there are particular - restrictions like, \"must refer only to types A and B\" or \"UID - not honored\" or \"name must be restricted\". Those cannot be - well described when embedded. 3. Inconsistent validation. Because - the usages are different, the validation rules are different - by usage, which makes it hard for users to predict what will - happen. 4. The fields are both imprecise and overly precise. - \ Kind is not a precise mapping to a URL. This can produce ambiguity - during interpretation and require a REST mapping. In most cases, - the dependency is on the group,resource tuple and the version - of the actual struct is irrelevant. 5. We cannot easily change - it. Because this type is embedded in many locations, updates - to this type will affect numerous schemas. Don't make new APIs - embed an underspecified API type they do not control. \n Instead - of using this type, create a locally provided and used type - that is well-focused on your reference. For example, ServiceReferences - for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 - ." + description: |- + ObjectReference contains enough information to let you inspect or modify the referred object. + --- + New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. + 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. + 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular + restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". + Those cannot be well described when embedded. + 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. + 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity + during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple + and the version of the actual struct is irrelevant. + 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type + will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control. + + + Instead of using this type, create a locally provided and used type that is well-focused on your reference. + For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 . properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead - of an entire object, this string should contain a valid - JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within - a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" - (container with index 2 in this pod). This syntax is chosen - only to have some well-defined way of referencing a part - of an object. TODO: this design is not final and this field - is subject to change in the future.' + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + TODO: this design is not final and this field is subject to change in the future. type: string kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ type: string resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency type: string uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids type: string type: object x-kubernetes-map-type: atomic @@ -44364,15 +40467,16 @@ spec: description: Timestamp indicates the time the result was found properties: nanos: - description: Non-negative fractions of a second at nanosecond - resolution. Negative second values with fractions must still - have non-negative nanos values that count forward in time. - Must be from 0 to 999,999,999 inclusive. This field may be - limited in precision depending on context. + description: |- + Non-negative fractions of a second at nanosecond resolution. Negative + second values with fractions must still have non-negative nanos values + that count forward in time. Must be from 0 to 999,999,999 + inclusive. This field may be limited in precision depending on context. format: int32 type: integer seconds: - description: Represents seconds of UTC time since Unix epoch + description: |- + Represents seconds of UTC time since Unix epoch 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to 9999-12-31T23:59:59Z inclusive. format: int64 @@ -44393,61 +40497,71 @@ spec: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead of an entire - object, this string should contain a valid JSON/Go field access - statement, such as desiredState.manifest.containers[2]. For example, - if the object reference is to a container within a pod, this would - take on a value like: "spec.containers{name}" (where "name" refers - to the name of the container that triggered the event) or if no - container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined - way of referencing a part of an object. TODO: this design is not - final and this field is subject to change in the future.' + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + TODO: this design is not final and this field is subject to change in the future. type: string kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ type: string resourceVersion: - description: 'Specific resourceVersion to which this reference is - made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency type: string uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids type: string type: object x-kubernetes-map-type: atomic scopeSelector: - description: ScopeSelector is an optional selector for multiple scopes - (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector - should be specified. + description: |- + ScopeSelector is an optional selector for multiple scopes (e.g. Pods). + Either one of, or none of, but not both of, Scope or ScopeSelector should be specified. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains - values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set - of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator - is In or NotIn, the values array must be non-empty. If the - operator is Exists or DoesNotExist, the values array must - be empty. This array is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -44459,10 +40573,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} - in the matchLabels map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", and the values array - contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -44506,7 +40620,7 @@ metadata: app.kubernetes.io/version: 3.1.4 helm.sh/chart: crds-3.1.4 annotations: - controller-gen.kubebuilder.io/version: v0.12.0 + controller-gen.kubebuilder.io/version: v0.14.0 name: policyreports.wgpolicyk8s.io spec: group: wgpolicyk8s.io @@ -44550,14 +40664,19 @@ spec: description: PolicyReport is the Schema for the policyreports API properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -44584,35 +40703,35 @@ spec: policy rule type: object resourceSelector: - description: SubjectSelector is an optional label selector for checked - Kubernetes resources. For example, a policy result may apply to - all pods that match a label. Either a Subject or a SubjectSelector - can be specified. If neither are provided, the result is assumed - to be for the policy report scope. + description: |- + SubjectSelector is an optional label selector for checked Kubernetes resources. + For example, a policy result may apply to all pods that match a label. + Either a Subject or a SubjectSelector can be specified. + If neither are provided, the result is assumed to be for the policy report scope. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that - contains values, a key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the - operator is In or NotIn, the values array must be non-empty. - If the operator is Exists or DoesNotExist, the values - array must be empty. This array is replaced during a - strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -44624,11 +40743,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -44636,63 +40754,63 @@ spec: description: Subjects is an optional reference to the checked Kubernetes resources items: - description: "ObjectReference contains enough information to let - you inspect or modify the referred object. --- New uses of this - type are discouraged because of difficulty describing its usage - when embedded in APIs. 1. Ignored fields. It includes many - fields which are not generally honored. For instance, ResourceVersion - and FieldPath are both very rarely valid in actual usage. 2. - Invalid usage help. It is impossible to add specific help for - individual usage. In most embedded usages, there are particular - restrictions like, \"must refer only to types A and B\" or \"UID - not honored\" or \"name must be restricted\". Those cannot be - well described when embedded. 3. Inconsistent validation. Because - the usages are different, the validation rules are different - by usage, which makes it hard for users to predict what will - happen. 4. The fields are both imprecise and overly precise. - \ Kind is not a precise mapping to a URL. This can produce ambiguity - during interpretation and require a REST mapping. In most cases, - the dependency is on the group,resource tuple and the version - of the actual struct is irrelevant. 5. We cannot easily change - it. Because this type is embedded in many locations, updates - to this type will affect numerous schemas. Don't make new APIs - embed an underspecified API type they do not control. \n Instead - of using this type, create a locally provided and used type - that is well-focused on your reference. For example, ServiceReferences - for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 - ." + description: |- + ObjectReference contains enough information to let you inspect or modify the referred object. + --- + New uses of this type are discouraged because of difficulty describing its usage when embedded in APIs. + 1. Ignored fields. It includes many fields which are not generally honored. For instance, ResourceVersion and FieldPath are both very rarely valid in actual usage. + 2. Invalid usage help. It is impossible to add specific help for individual usage. In most embedded usages, there are particular + restrictions like, "must refer only to types A and B" or "UID not honored" or "name must be restricted". + Those cannot be well described when embedded. + 3. Inconsistent validation. Because the usages are different, the validation rules are different by usage, which makes it hard for users to predict what will happen. + 4. The fields are both imprecise and overly precise. Kind is not a precise mapping to a URL. This can produce ambiguity + during interpretation and require a REST mapping. In most cases, the dependency is on the group,resource tuple + and the version of the actual struct is irrelevant. + 5. We cannot easily change it. Because this type is embedded in many locations, updates to this type + will affect numerous schemas. Don't make new APIs embed an underspecified API type they do not control. + + + Instead of using this type, create a locally provided and used type that is well-focused on your reference. + For example, ServiceReferences for admission registration: https://github.com/kubernetes/api/blob/release-1.17/admissionregistration/v1/types.go#L533 . properties: apiVersion: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead - of an entire object, this string should contain a valid - JSON/Go field access statement, such as desiredState.manifest.containers[2]. - For example, if the object reference is to a container within - a pod, this would take on a value like: "spec.containers{name}" - (where "name" refers to the name of the container that triggered - the event) or if no container name is specified "spec.containers[2]" - (container with index 2 in this pod). This syntax is chosen - only to have some well-defined way of referencing a part - of an object. TODO: this design is not final and this field - is subject to change in the future.' + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + TODO: this design is not final and this field is subject to change in the future. type: string kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ type: string resourceVersion: - description: 'Specific resourceVersion to which this reference - is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency type: string uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids type: string type: object x-kubernetes-map-type: atomic @@ -44730,15 +40848,16 @@ spec: description: Timestamp indicates the time the result was found properties: nanos: - description: Non-negative fractions of a second at nanosecond - resolution. Negative second values with fractions must still - have non-negative nanos values that count forward in time. - Must be from 0 to 999,999,999 inclusive. This field may be - limited in precision depending on context. + description: |- + Non-negative fractions of a second at nanosecond resolution. Negative + second values with fractions must still have non-negative nanos values + that count forward in time. Must be from 0 to 999,999,999 + inclusive. This field may be limited in precision depending on context. format: int32 type: integer seconds: - description: Represents seconds of UTC time since Unix epoch + description: |- + Represents seconds of UTC time since Unix epoch 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to 9999-12-31T23:59:59Z inclusive. format: int64 @@ -44759,61 +40878,71 @@ spec: description: API version of the referent. type: string fieldPath: - description: 'If referring to a piece of an object instead of an entire - object, this string should contain a valid JSON/Go field access - statement, such as desiredState.manifest.containers[2]. For example, - if the object reference is to a container within a pod, this would - take on a value like: "spec.containers{name}" (where "name" refers - to the name of the container that triggered the event) or if no - container name is specified "spec.containers[2]" (container with - index 2 in this pod). This syntax is chosen only to have some well-defined - way of referencing a part of an object. TODO: this design is not - final and this field is subject to change in the future.' + description: |- + If referring to a piece of an object instead of an entire object, this string + should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. + For example, if the object reference is to a container within a pod, this would take on a value like: + "spec.containers{name}" (where "name" refers to the name of the container that triggered + the event) or if no container name is specified "spec.containers[2]" (container with + index 2 in this pod). This syntax is chosen only to have some well-defined way of + referencing a part of an object. + TODO: this design is not final and this field is subject to change in the future. type: string kind: - description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind of the referent. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string namespace: - description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' + description: |- + Namespace of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ type: string resourceVersion: - description: 'Specific resourceVersion to which this reference is - made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' + description: |- + Specific resourceVersion to which this reference is made, if any. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency type: string uid: - description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' + description: |- + UID of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids type: string type: object x-kubernetes-map-type: atomic scopeSelector: - description: ScopeSelector is an optional selector for multiple scopes - (e.g. Pods). Either one of, or none of, but not both of, Scope or ScopeSelector - should be specified. + description: |- + ScopeSelector is an optional selector for multiple scopes (e.g. Pods). + Either one of, or none of, but not both of, Scope or ScopeSelector should be specified. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains - values, a key, and an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to a set - of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator - is In or NotIn, the values array must be non-empty. If the - operator is Exists or DoesNotExist, the values array must - be empty. This array is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -44825,10 +40954,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} - in the matchLabels map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", and the values array - contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic diff --git a/docs/user/crd/index.html b/docs/user/crd/index.html index 3062cf7b2f92..8203ef458ff4 100644 --- a/docs/user/crd/index.html +++ b/docs/user/crd/index.html @@ -4279,6 +4279,17 @@

Validation

CEL allows validation checks using the Common Expression Language (https://kubernetes.io/docs/reference/using-api/cel/).

+ + +allowExistingViolations
+ +bool + + + +

AllowExistingViolations allows prexisting violating resources to continue violating a policy.

+ +
diff --git a/pkg/client/applyconfigurations/kyverno/v1/validation.go b/pkg/client/applyconfigurations/kyverno/v1/validation.go index 4f291f5d6069..aa7a0b79a4be 100644 --- a/pkg/client/applyconfigurations/kyverno/v1/validation.go +++ b/pkg/client/applyconfigurations/kyverno/v1/validation.go @@ -25,14 +25,15 @@ import ( // ValidationApplyConfiguration represents an declarative configuration of the Validation type for use // with apply. type ValidationApplyConfiguration struct { - Message *string `json:"message,omitempty"` - Manifests *ManifestsApplyConfiguration `json:"manifests,omitempty"` - ForEachValidation []ForEachValidationApplyConfiguration `json:"foreach,omitempty"` - RawPattern *apiextensionsv1.JSON `json:"pattern,omitempty"` - RawAnyPattern *apiextensionsv1.JSON `json:"anyPattern,omitempty"` - Deny *DenyApplyConfiguration `json:"deny,omitempty"` - PodSecurity *PodSecurityApplyConfiguration `json:"podSecurity,omitempty"` - CEL *CELApplyConfiguration `json:"cel,omitempty"` + Message *string `json:"message,omitempty"` + Manifests *ManifestsApplyConfiguration `json:"manifests,omitempty"` + ForEachValidation []ForEachValidationApplyConfiguration `json:"foreach,omitempty"` + RawPattern *apiextensionsv1.JSON `json:"pattern,omitempty"` + RawAnyPattern *apiextensionsv1.JSON `json:"anyPattern,omitempty"` + Deny *DenyApplyConfiguration `json:"deny,omitempty"` + PodSecurity *PodSecurityApplyConfiguration `json:"podSecurity,omitempty"` + CEL *CELApplyConfiguration `json:"cel,omitempty"` + AllowExistingViolations *bool `json:"allowExistingViolations,omitempty"` } // ValidationApplyConfiguration constructs an declarative configuration of the Validation type for use with @@ -109,3 +110,11 @@ func (b *ValidationApplyConfiguration) WithCEL(value *CELApplyConfiguration) *Va b.CEL = value return b } + +// WithAllowExistingViolations sets the AllowExistingViolations field in the declarative configuration to the given value +// and returns the receiver, so that objects can be built by chaining "With" function invocations. +// If called multiple times, the AllowExistingViolations field is set to the value of the last call. +func (b *ValidationApplyConfiguration) WithAllowExistingViolations(value bool) *ValidationApplyConfiguration { + b.AllowExistingViolations = &value + return b +} diff --git a/pkg/engine/api/policycontext.go b/pkg/engine/api/policycontext.go index 0119057681a8..0a0bb183f1e8 100644 --- a/pkg/engine/api/policycontext.go +++ b/pkg/engine/api/policycontext.go @@ -24,7 +24,8 @@ type PolicyContext interface { AdmissionOperation() bool Element() unstructured.Unstructured SetElement(element unstructured.Unstructured) - + SetOperation(op kyvernov1.AdmissionOperation) error + SetResources(oldObj, newObj unstructured.Unstructured) error OldPolicyContext() (PolicyContext, error) JSONContext() enginecontext.Interface Copy() PolicyContext diff --git a/pkg/engine/handlers/validation/utils.go b/pkg/engine/handlers/validation/utils.go new file mode 100644 index 000000000000..2c887306eac3 --- /dev/null +++ b/pkg/engine/handlers/validation/utils.go @@ -0,0 +1,46 @@ +package validation + +import ( + kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1" + kyvernov1beta1 "github.com/kyverno/kyverno/api/kyverno/v1beta1" + kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1" + "github.com/kyverno/kyverno/pkg/utils/match" + "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" +) + +func matchResource(resource unstructured.Unstructured, rule kyvernov1.Rule) bool { + if rule.MatchResources.All != nil || rule.MatchResources.Any != nil { + matched := match.CheckMatchesResources( + resource, + kyvernov2beta1.MatchResources{ + Any: rule.MatchResources.Any, + All: rule.MatchResources.All, + }, + make(map[string]string), + kyvernov1beta1.RequestInfo{}, + resource.GroupVersionKind(), + "", + ) + if matched != nil { + return false + } + } + + if rule.ExcludeResources.All != nil || rule.ExcludeResources.Any != nil { + excluded := match.CheckMatchesResources( + resource, + kyvernov2beta1.MatchResources{ + Any: rule.ExcludeResources.Any, + All: rule.ExcludeResources.All, + }, + make(map[string]string), + kyvernov1beta1.RequestInfo{}, + resource.GroupVersionKind(), + "", + ) + if excluded == nil { + return false + } + } + return true +} diff --git a/pkg/engine/handlers/validation/validate_pss.go b/pkg/engine/handlers/validation/validate_pss.go index c9c3842310c0..f5f29c0574f7 100644 --- a/pkg/engine/handlers/validation/validate_pss.go +++ b/pkg/engine/handlers/validation/validate_pss.go @@ -9,7 +9,9 @@ import ( kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1" engineapi "github.com/kyverno/kyverno/pkg/engine/api" "github.com/kyverno/kyverno/pkg/engine/handlers" + engineutils "github.com/kyverno/kyverno/pkg/engine/utils" "github.com/kyverno/kyverno/pkg/pss" + "github.com/pkg/errors" appsv1 "k8s.io/api/apps/v1" batchv1 "k8s.io/api/batch/v1" corev1 "k8s.io/api/core/v1" @@ -29,8 +31,25 @@ func (h validatePssHandler) Process( policyContext engineapi.PolicyContext, resource unstructured.Unstructured, rule kyvernov1.Rule, - _ engineapi.EngineContextLoader, + engineLoader engineapi.EngineContextLoader, ) (unstructured.Unstructured, []engineapi.RuleResponse) { + resource, ruleResp := h.validate(ctx, logger, policyContext, resource, rule, engineLoader) + return resource, handlers.WithResponses(ruleResp) +} + +func (h validatePssHandler) validate( + ctx context.Context, + logger logr.Logger, + policyContext engineapi.PolicyContext, + resource unstructured.Unstructured, + rule kyvernov1.Rule, + engineLoader engineapi.EngineContextLoader, +) (unstructured.Unstructured, *engineapi.RuleResponse) { + if engineutils.IsDeleteRequest(policyContext) { + logger.V(3).Info("skipping PSS validation on deleted resource") + return resource, nil + } + // Marshal pod metadata and spec podSecurity := rule.Validation.PodSecurity if resource.Object == nil { @@ -38,16 +57,16 @@ func (h validatePssHandler) Process( } podSpec, metadata, err := getSpec(resource) if err != nil { - return resource, handlers.WithError(rule, engineapi.Validation, "Error while getting new resource", err) + return resource, engineapi.RuleError(rule.Name, engineapi.Validation, "Error while getting new resource", err) } pod := &corev1.Pod{ Spec: *podSpec, ObjectMeta: *metadata, } - allowed, pssChecks, err := pss.EvaluatePod(podSecurity, pod) if err != nil { - return resource, handlers.WithError(rule, engineapi.Validation, "failed to parse pod security api version", err) + return resource, engineapi.RuleError(rule.Name, engineapi.Validation, "failed to parse pod security api version", err) } + allowed, pssChecks, _ := pss.EvaluatePod(rule.Validation.PodSecurity, pod) podSecurityChecks := engineapi.PodSecurityChecks{ Level: podSecurity.Level, Version: podSecurity.Version, @@ -55,23 +74,85 @@ func (h validatePssHandler) Process( } if allowed { msg := fmt.Sprintf("Validation rule '%s' passed.", rule.Name) - return resource, handlers.WithResponses( - engineapi.RulePass(rule.Name, engineapi.Validation, msg).WithPodSecurityChecks(podSecurityChecks), - ) + return resource, engineapi.RulePass(rule.Name, engineapi.Validation, msg).WithPodSecurityChecks(podSecurityChecks) } else { msg := fmt.Sprintf(`Validation rule '%s' failed. It violates PodSecurity "%s:%s": %s`, rule.Name, podSecurity.Level, podSecurity.Version, pss.FormatChecksPrint(pssChecks)) - return resource, handlers.WithResponses( - engineapi.RuleFail(rule.Name, engineapi.Validation, msg).WithPodSecurityChecks(podSecurityChecks), - ) + ruleResponse := engineapi.RuleFail(rule.Name, engineapi.Validation, msg).WithPodSecurityChecks(podSecurityChecks) + allowExisitingViolations := rule.HasValidateAllowExistingViolations() + if engineutils.IsUpdateRequest(policyContext) && allowExisitingViolations { + logger.V(4).Info("is update request") + priorResp, err := h.validateOldObject(ctx, logger, policyContext, resource, rule, engineLoader) + if err != nil { + logger.V(2).Info("warning: failed to validate old object, skipping the rule evaluation as pre-existing violations are allowed", "rule", rule.Name, "error", err.Error()) + return resource, engineapi.RuleSkip(rule.Name, engineapi.Validation, "failed to validate old object, skipping as preexisting violations are allowed") + } + + if ruleResponse.Status() == priorResp.Status() { + logger.V(3).Info("skipping modified resource as validation results have not changed", "oldResp", priorResp, "newResp", ruleResponse) + if ruleResponse.Status() == engineapi.RuleStatusPass { + return resource, ruleResponse + } + return resource, engineapi.RuleSkip(rule.Name, engineapi.Validation, "skipping modified resource as validation results have not changed") + } + logger.V(4).Info("old object response is different", "oldResp", priorResp, "newResp", ruleResponse) + } + + return resource, ruleResponse + } +} + +func (h validatePssHandler) validateOldObject( + ctx context.Context, + logger logr.Logger, + policyContext engineapi.PolicyContext, + resource unstructured.Unstructured, + rule kyvernov1.Rule, + engineLoader engineapi.EngineContextLoader, +) (*engineapi.RuleResponse, error) { + if policyContext.Operation() != kyvernov1.Update { + return nil, nil } + + newResource := policyContext.NewResource() + oldResource := policyContext.OldResource() + emptyResource := unstructured.Unstructured{} + + if ok := matchResource(oldResource, rule); !ok { + return nil, nil + } + if err := policyContext.SetResources(emptyResource, oldResource); err != nil { + return nil, errors.Wrapf(err, "failed to set resources") + } + if err := policyContext.SetOperation(kyvernov1.Create); err != nil { // simulates the condition when old object was "created" + return nil, errors.Wrapf(err, "failed to set operation") + } + + _, resp := h.validate(ctx, logger, policyContext, oldResource, rule, engineLoader) + + if err := policyContext.SetResources(oldResource, newResource); err != nil { + return nil, errors.Wrapf(err, "failed to reset resources") + } + + if err := policyContext.SetOperation(kyvernov1.Update); err != nil { + return nil, errors.Wrapf(err, "failed to reset operation") + } + + return resp, nil } +// Extract container names from PSS error details. Here are some example inputs: +// - "containers \"nginx\", \"busybox\" must set securityContext.allowPrivilegeEscalation=false" +// - "containers \"nginx\", \"busybox\" must set securityContext.capabilities.drop=[\"ALL\"]" +// - "pod or containers \"nginx\", \"busybox\" must set securityContext.runAsNonRoot=true" +// - "pod or containers \"nginx\", \"busybox\" must set securityContext.seccompProfile.type to \"RuntimeDefault\" or \"Localhost\"" +// - "pod or container \"nginx\" must set securityContext.seccompProfile.type to \"RuntimeDefault\" or \"Localhost\"" +// - "container \"nginx\" must set securityContext.allowPrivilegeEscalation=false" + func getSpec(resource unstructured.Unstructured) (podSpec *corev1.PodSpec, metadata *metav1.ObjectMeta, err error) { kind := resource.GetKind() if kind == "DaemonSet" || kind == "Deployment" || kind == "Job" || kind == "StatefulSet" || kind == "ReplicaSet" || kind == "ReplicationController" { var deployment appsv1.Deployment - resourceBytes, err := resource.MarshalJSON() if err != nil { return nil, nil, err @@ -85,7 +166,6 @@ func getSpec(resource unstructured.Unstructured) (podSpec *corev1.PodSpec, metad return podSpec, metadata, nil } else if kind == "CronJob" { var cronJob batchv1.CronJob - resourceBytes, err := resource.MarshalJSON() if err != nil { return nil, nil, err @@ -96,9 +176,9 @@ func getSpec(resource unstructured.Unstructured) (podSpec *corev1.PodSpec, metad } podSpec = &cronJob.Spec.JobTemplate.Spec.Template.Spec metadata = &cronJob.Spec.JobTemplate.ObjectMeta + return podSpec, metadata, nil } else if kind == "Pod" { var pod corev1.Pod - resourceBytes, err := resource.MarshalJSON() if err != nil { return nil, nil, err @@ -110,11 +190,7 @@ func getSpec(resource unstructured.Unstructured) (podSpec *corev1.PodSpec, metad podSpec = &pod.Spec metadata = &pod.ObjectMeta return podSpec, metadata, nil - } else { - return nil, nil, fmt.Errorf("Could not find correct resource type") } - if err != nil { - return nil, nil, err - } - return podSpec, metadata, err + + return nil, nil, fmt.Errorf("could not find correct resource type") } diff --git a/pkg/engine/handlers/validation/validate_resource.go b/pkg/engine/handlers/validation/validate_resource.go index ae8bf3bf065c..4d74966fbe5e 100644 --- a/pkg/engine/handlers/validation/validate_resource.go +++ b/pkg/engine/handlers/validation/validate_resource.go @@ -46,7 +46,7 @@ type validator struct { policyContext engineapi.PolicyContext rule kyvernov1.Rule contextEntries []kyvernov1.ContextEntry - anyAllConditions apiextensions.JSON + anyAllConditions any pattern apiextensions.JSON anyPattern apiextensions.JSON deny *kyvernov1.Deny @@ -114,54 +114,70 @@ func (v *validator) validate(ctx context.Context) *engineapi.RuleResponse { return engineapi.RuleSkip(v.rule.Name, engineapi.Validation, s) } + var ruleResponse *engineapi.RuleResponse if v.deny != nil { - return v.validateDeny() - } - - if v.pattern != nil || v.anyPattern != nil { + ruleResponse = v.validateDeny() + } else if v.pattern != nil || v.anyPattern != nil { if err = v.substitutePatterns(); err != nil { return engineapi.RuleError(v.rule.Name, engineapi.Validation, "variable substitution failed", err) } - ruleResponse := v.validateResourceWithRule() + ruleResponse = v.validateResourceWithRule() + } else if v.forEach != nil { + ruleResponse = v.validateForEach(ctx) + } else { + v.log.V(2).Info("invalid validation rule: podSecurity, cel, patterns, or deny expected") + } - if engineutils.IsUpdateRequest(v.policyContext) { - priorResp, err := v.validateOldObject(ctx) - if err != nil { - return engineapi.RuleError(v.rule.Name, engineapi.Validation, "failed to validate old object", err) - } + allowExisitingViolations := v.rule.HasValidateAllowExistingViolations() + if engineutils.IsUpdateRequest(v.policyContext) && allowExisitingViolations && v.nesting == 0 { // is update request and is the root level validate + priorResp, err := v.validateOldObject(ctx) + if err != nil { + v.log.V(2).Info("warning: failed to validate old object, skipping the rule evaluation as pre-existing violations are allowed", "rule", v.rule.Name, "error", err.Error()) + return engineapi.RuleSkip(v.rule.Name, engineapi.Validation, "failed to validate old object, skipping as preexisting violations are allowed") + } - if engineutils.IsSameRuleResponse(ruleResponse, priorResp) { - v.log.V(3).Info("skipping modified resource as validation results have not changed") - if ruleResponse.Status() == engineapi.RuleStatusPass { - return ruleResponse - } - return engineapi.RuleSkip(v.rule.Name, engineapi.Validation, "skipping modified resource as validation results have not changed") + if engineutils.IsSameRuleResponse(ruleResponse, priorResp) { + v.log.V(3).Info("skipping modified resource as validation results have not changed") + if ruleResponse.Status() == engineapi.RuleStatusPass { + return ruleResponse } + return engineapi.RuleSkip(v.rule.Name, engineapi.Validation, "skipping modified resource as validation results have not changed") } - - return ruleResponse } - if v.forEach != nil { - ruleResponse := v.validateForEach(ctx) - return ruleResponse - } - - v.log.V(2).Info("invalid validation rule: podSecurity, cel, patterns, or deny expected") - return nil + return ruleResponse } func (v *validator) validateOldObject(ctx context.Context) (*engineapi.RuleResponse, error) { - pc := v.policyContext - oldPc, err := v.policyContext.OldPolicyContext() - if err != nil { - return nil, errors.Wrapf(err, "cannot get old policy context") + if v.policyContext.Operation() != kyvernov1.Update { + return nil, errors.New("invalid operation") + } + + newResource := v.policyContext.NewResource() + oldResource := v.policyContext.OldResource() + emptyResource := unstructured.Unstructured{} + + if ok := matchResource(oldResource, v.rule); !ok { + return engineapi.RuleSkip(v.rule.Name, engineapi.Validation, "resource not matched"), nil + } + + if err := v.policyContext.SetResources(emptyResource, oldResource); err != nil { + return nil, errors.Wrapf(err, "failed to set resources") + } + if err := v.policyContext.SetOperation(kyvernov1.Create); err != nil { // simulates the condition when old object was "created" + return nil, errors.Wrapf(err, "failed to set operation") } - v.policyContext = oldPc resp := v.validate(ctx) - v.policyContext = pc + + if err := v.policyContext.SetResources(oldResource, newResource); err != nil { + return nil, errors.Wrapf(err, "failed to reset resources") + } + + if err := v.policyContext.SetOperation(kyvernov1.Update); err != nil { + return nil, errors.Wrapf(err, "failed to reset operation") + } return resp, nil } @@ -181,10 +197,7 @@ func (v *validator) validateForEach(ctx context.Context) *engineapi.RuleResponse applyCount += count } if applyCount == 0 { - if v.forEach == nil { - return nil - } - return engineapi.RuleSkip(v.rule.Name, engineapi.Validation, "rule skipped") + return nil } return engineapi.RulePass(v.rule.Name, engineapi.Validation, "rule passed") } @@ -375,7 +388,7 @@ func (v *validator) validatePatterns(resource unstructured.Unstructured) *engine } v.log.V(4).Info(fmt.Sprintf("Validation rule '%s' failed. %s", v.rule.Name, errorStr)) - msg := buildAnyPatternErrorMessage(v.rule, errorStr) + msg := v.buildAnyPatternErrorMessage(errorStr) return engineapi.RuleFail(v.rule.Name, engineapi.Validation, msg) } } @@ -426,17 +439,22 @@ func (v *validator) buildErrorMessage(err error, path string) string { } } -func buildAnyPatternErrorMessage(rule kyvernov1.Rule, errors []string) string { +func (v *validator) buildAnyPatternErrorMessage(errors []string) string { errStr := strings.Join(errors, " ") - if rule.Validation.Message == "" { + if v.rule.Validation.Message == "" { return fmt.Sprintf("validation error: %s", errStr) } - - if strings.HasSuffix(rule.Validation.Message, ".") { - return fmt.Sprintf("validation error: %s %s", rule.Validation.Message, errStr) + msgRaw, sErr := variables.SubstituteAll(v.log, v.policyContext.JSONContext(), v.rule.Validation.Message) + if sErr != nil { + v.log.V(2).Info("failed to substitute variables in message", "error", sErr) + return fmt.Sprintf("validation error: variables substitution error in rule %s execution error: %s", v.rule.Name, errStr) + } else { + msg := msgRaw.(string) + if strings.HasSuffix(msg, ".") { + return fmt.Sprintf("validation error: %s %s", msg, errStr) + } + return fmt.Sprintf("validation error: %s. %s", msg, errStr) } - - return fmt.Sprintf("validation error: %s. %s", rule.Validation.Message, errStr) } func (v *validator) substitutePatterns() error { diff --git a/pkg/engine/jmespath/functions_test.go b/pkg/engine/jmespath/functions_test.go index 0838e12e984a..64bf9dcfb4ff 100644 --- a/pkg/engine/jmespath/functions_test.go +++ b/pkg/engine/jmespath/functions_test.go @@ -1204,8 +1204,8 @@ ZDGRs55xuoeLDJ/ZRFf9bI+IaCUd1YrfYcHIl3G87Av+r49YVwqRDT0VDV7uLgqn -----END CERTIFICATE REQUEST-----`, } resList := []string{ - `{"Raw":"MIIC7TCCAdWgAwIBAgIBADANBgkqhkiG9w0BAQsFADAYMRYwFAYDVQQDDA0qLmt5dmVybm8uc3ZjMB4XDTIyMDExMTEzMjY0M1oXDTIzMDExMTE0MjY0M1owGDEWMBQGA1UEAwwNKi5reXZlcm5vLnN2YzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMsAz85+yino+MmdKsVtHwNi3oAVjumzXHiLfUJK7xi5KU8B7goPHF/VCe/V7Y2c4afyfgY2ePw4LxSDkCYNgYwqjSwGIbcsqv5ZRazBdDxR09ri6PknNyBVGLi5RlPXIrGQ3psNuf55qwxJxLO31qCZuvktKY5YvuIR4JPmBhuSFXOnn0ZiQw8uxMcQ0QA2lz+PxWCVNk9q+31H5DH1oYZDLfU3mijIOA+AJGZbBb+ZwBmpVL0+2TXLxE74WowdKEV+WTsKojNTd0VwcuRKRKR/6ynXAAis21y1X7Ui9FJE6mDIylUD40WXOKGJ1lYY41kRnYhVhvXYN9JtNYdY3HsCAwEAAaNCMEAwDgYDVR0PAQH/BAQDAgKkMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFOnlASVD9fu3TAjptlW/gAXA4ql+MA0GCSqGSIb3DQEBCwUAA4IBAQCIpyRiChxp97crKfQ24Jt7z8P+AGpLf3sX4eL87ESa7QRoVJtXLmaut1pUEoYLQruKmh/0YFtZG9WxVgY6iuKbWnu7bOeMB/Ir+V/yrX3R+XvZOsuXiJnEbJiBW6lJzLldoW4f/71H+j1WD4tHpqmdMxq/sLqXfPIuc0/m0yFCn+ADBWGGB8Nn66vxtv+cT6p+RIVotXPQWbMilWp6pd5wSuB68FqrDwtYLNJtPwFs9MPVkuaJdYZ0eWd/rMcKD94Hgf89gvA0+qzMVFf+3BemXskjQRYy6CKsqoyC6jX4nhYjumAP/7psbzITsnpHtfCEEU+2JZwgM406aiMcsgLb","RawTBSCertificate":"MIIB1aADAgECAgEAMA0GCSqGSIb3DQEBCwUAMBgxFjAUBgNVBAMMDSoua3l2ZXJuby5zdmMwHhcNMjIwMTExMTMyNjQzWhcNMjMwMTExMTQyNjQzWjAYMRYwFAYDVQQDDA0qLmt5dmVybm8uc3ZjMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAywDPzn7KKej4yZ0qxW0fA2LegBWO6bNceIt9QkrvGLkpTwHuCg8cX9UJ79XtjZzhp/J+BjZ4/DgvFIOQJg2BjCqNLAYhtyyq/llFrMF0PFHT2uLo+Sc3IFUYuLlGU9cisZDemw25/nmrDEnEs7fWoJm6+S0pjli+4hHgk+YGG5IVc6efRmJDDy7ExxDRADaXP4/FYJU2T2r7fUfkMfWhhkMt9TeaKMg4D4AkZlsFv5nAGalUvT7ZNcvETvhajB0oRX5ZOwqiM1N3RXBy5EpEpH/rKdcACKzbXLVftSL0UkTqYMjKVQPjRZc4oYnWVhjjWRGdiFWG9dg30m01h1jcewIDAQABo0IwQDAOBgNVHQ8BAf8EBAMCAqQwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU6eUBJUP1+7dMCOm2Vb+ABcDiqX4=","RawSubjectPublicKeyInfo":"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAywDPzn7KKej4yZ0qxW0fA2LegBWO6bNceIt9QkrvGLkpTwHuCg8cX9UJ79XtjZzhp/J+BjZ4/DgvFIOQJg2BjCqNLAYhtyyq/llFrMF0PFHT2uLo+Sc3IFUYuLlGU9cisZDemw25/nmrDEnEs7fWoJm6+S0pjli+4hHgk+YGG5IVc6efRmJDDy7ExxDRADaXP4/FYJU2T2r7fUfkMfWhhkMt9TeaKMg4D4AkZlsFv5nAGalUvT7ZNcvETvhajB0oRX5ZOwqiM1N3RXBy5EpEpH/rKdcACKzbXLVftSL0UkTqYMjKVQPjRZc4oYnWVhjjWRGdiFWG9dg30m01h1jcewIDAQAB","RawSubject":"MBgxFjAUBgNVBAMMDSoua3l2ZXJuby5zdmM=","RawIssuer":"MBgxFjAUBgNVBAMMDSoua3l2ZXJuby5zdmM=","Signature":"iKckYgocafe3Kyn0NuCbe8/D/gBqS397F+Hi/OxEmu0EaFSbVy5mrrdaVBKGC0K7ipof9GBbWRvVsVYGOorim1p7u2znjAfyK/lf8q190fl72TrLl4iZxGyYgVupScy5XaFuH/+9R/o9Vg+LR6apnTMav7C6l3zyLnNP5tMhQp/gAwVhhgfDZ+ur8bb/nE+qfkSFaLVz0FmzIpVqeqXecErgevBaqw8LWCzSbT8BbPTD1ZLmiXWGdHlnf6zHCg/eB4H/PYLwNPqszFRX/twXpl7JI0EWMugirKqMguo1+J4WI7pgD/+6bG8yE7J6R7XwhBFPtiWcIDONOmojHLIC2w==","SignatureAlgorithm":4,"PublicKeyAlgorithm":1,"PublicKey":{"N":"25626776194299809103943925293022478779550111351090439168995035251396620593900589237452364135475983088162735720467798166985191488213022186077349821145857402701723499012699772423162550319145896535355752944351742979794245171828792388153331005254201525593934122190716637483002316913539755904599370968007653484768793099970920881706651907943367212661888776583428009130496820305182341702970575924538413569026902195901329094514102681440057150490032724791460671006772434362132998853498175356133386237155854830546292463707783883111067332118558636600306550854546869660051077649500890548685566726464348535891964886136890236394619","E":65537},"Version":3,"SerialNumber":0,"Issuer":{"Country":null,"Organization":null,"OrganizationalUnit":null,"Locality":null,"Province":null,"StreetAddress":null,"PostalCode":null,"SerialNumber":"","CommonName":"*.kyverno.svc","Names":[{"Type":[2,5,4,3],"Value":"*.kyverno.svc"}],"ExtraNames":null},"Subject":{"Country":null,"Organization":null,"OrganizationalUnit":null,"Locality":null,"Province":null,"StreetAddress":null,"PostalCode":null,"SerialNumber":"","CommonName":"*.kyverno.svc","Names":[{"Type":[2,5,4,3],"Value":"*.kyverno.svc"}],"ExtraNames":null},"NotBefore":"2022-01-11T13:26:43Z","NotAfter":"2023-01-11T14:26:43Z","KeyUsage":37,"Extensions":[{"Id":[2,5,29,15],"Critical":true,"Value":"AwICpA=="},{"Id":[2,5,29,19],"Critical":true,"Value":"MAMBAf8="},{"Id":[2,5,29,14],"Critical":false,"Value":"BBTp5QElQ/X7t0wI6bZVv4AFwOKpfg=="}],"ExtraExtensions":null,"UnhandledCriticalExtensions":null,"ExtKeyUsage":null,"UnknownExtKeyUsage":null,"BasicConstraintsValid":true,"IsCA":true,"MaxPathLen":-1,"MaxPathLenZero":false,"SubjectKeyId":"6eUBJUP1+7dMCOm2Vb+ABcDiqX4=","AuthorityKeyId":null,"OCSPServer":null,"IssuingCertificateURL":null,"DNSNames":null,"EmailAddresses":null,"IPAddresses":null,"URIs":null,"PermittedDNSDomainsCritical":false,"PermittedDNSDomains":null,"ExcludedDNSDomains":null,"PermittedIPRanges":null,"ExcludedIPRanges":null,"PermittedEmailAddresses":null,"ExcludedEmailAddresses":null,"PermittedURIDomains":null,"ExcludedURIDomains":null,"CRLDistributionPoints":null,"PolicyIdentifiers":null}`, - `{"Raw":"MIIDSjCCAjKgAwIBAgIUWxmj40l+TDVJq98Xy7c6Leo3np8wDQYJKoZIhvcNAQELBQAwPTELMAkGA1UEBhMCeHgxCjAIBgNVBAgTAXgxCjAIBgNVBAcTAXgxCjAIBgNVBAoTAXgxCjAIBgNVBAsTAXgwHhcNMTgwMjAyMTIzODAwWhcNMjMwMjAxMTIzODAwWjA9MQswCQYDVQQGEwJ4eDEKMAgGA1UECBMBeDEKMAgGA1UEBxMBeDEKMAgGA1UEChMBeDEKMAgGA1UECxMBeDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANHkqOmVf23KMXdaZU2eFUx1h4wb09JINBB8x/HL7UE0KFJcnOoVnNQB0gRukUopiYCzrzMFyGWWmB/pAEKool+ZiI2uMy6mcYBDtOi4pOm7U0TQQMV6L/5Yfi65xRz3RTMd/tYAoFi4aCZbJAGjxU6UWNYDzTy8E/cP6ZnlNbVHRiA6/wHsoWcXtWTXYP5yn9cf7EWQi1hOBM4BWmOIyB1f6LEgQipZWMOMPPHO3hsuSBn0rk7jovSt5XTlbgRrtxqAJiNjJUykWzIF+lLnZCioippGv5vkdGvE83JoACXvZTUwzA+MLu49fkw3bweqkbhrer8kacjfGlw3aJN37eECAwEAAaNCMEAwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFKXcb52bv6oqnD+D9fTNFHZL8IWxMA0GCSqGSIb3DQEBCwUAA4IBAQADvKvv3ym0XAYwKxPLLl3Lc6sJYHDbTN0donduG7PXeb1dhuukJ2lfufUYp2IGSAxuLecTYeeByOVp1gaMb5LsIGt2BVDmlMMkiH29LUHsvbyi85CpJo7A5RJG6AWW2VBCiDjz5v8JFM6pMkBRFfXH+pwIge65CE+MTSQcfb1/aIIoQ226P7E/3uUGX4k4pDXG/O7GNvykF40v1DB5y7DDBTQ4JWiJfyGkT69TmdOGLFAmjwxUjWyvEey4qJex/EGEm5RQcMv9iy7tba1wK7sykNGn5uDELGPGIIEAa5rIHm1FUFOZZVoELaasWS559wy8og39Eq21dDMynb8Bndn/","RawTBSCertificate":"MIICMqADAgECAhRbGaPjSX5MNUmr3xfLtzot6jeenzANBgkqhkiG9w0BAQsFADA9MQswCQYDVQQGEwJ4eDEKMAgGA1UECBMBeDEKMAgGA1UEBxMBeDEKMAgGA1UEChMBeDEKMAgGA1UECxMBeDAeFw0xODAyMDIxMjM4MDBaFw0yMzAyMDExMjM4MDBaMD0xCzAJBgNVBAYTAnh4MQowCAYDVQQIEwF4MQowCAYDVQQHEwF4MQowCAYDVQQKEwF4MQowCAYDVQQLEwF4MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0eSo6ZV/bcoxd1plTZ4VTHWHjBvT0kg0EHzH8cvtQTQoUlyc6hWc1AHSBG6RSimJgLOvMwXIZZaYH+kAQqiiX5mIja4zLqZxgEO06Lik6btTRNBAxXov/lh+LrnFHPdFMx3+1gCgWLhoJlskAaPFTpRY1gPNPLwT9w/pmeU1tUdGIDr/AeyhZxe1ZNdg/nKf1x/sRZCLWE4EzgFaY4jIHV/osSBCKllYw4w88c7eGy5IGfSuTuOi9K3ldOVuBGu3GoAmI2MlTKRbMgX6UudkKKiKmka/m+R0a8TzcmgAJe9lNTDMD4wu7j1+TDdvB6qRuGt6vyRpyN8aXDdok3ft4QIDAQABo0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUpdxvnZu/qiqcP4P19M0UdkvwhbE=","RawSubjectPublicKeyInfo":"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0eSo6ZV/bcoxd1plTZ4VTHWHjBvT0kg0EHzH8cvtQTQoUlyc6hWc1AHSBG6RSimJgLOvMwXIZZaYH+kAQqiiX5mIja4zLqZxgEO06Lik6btTRNBAxXov/lh+LrnFHPdFMx3+1gCgWLhoJlskAaPFTpRY1gPNPLwT9w/pmeU1tUdGIDr/AeyhZxe1ZNdg/nKf1x/sRZCLWE4EzgFaY4jIHV/osSBCKllYw4w88c7eGy5IGfSuTuOi9K3ldOVuBGu3GoAmI2MlTKRbMgX6UudkKKiKmka/m+R0a8TzcmgAJe9lNTDMD4wu7j1+TDdvB6qRuGt6vyRpyN8aXDdok3ft4QIDAQAB","RawSubject":"MD0xCzAJBgNVBAYTAnh4MQowCAYDVQQIEwF4MQowCAYDVQQHEwF4MQowCAYDVQQKEwF4MQowCAYDVQQLEwF4","RawIssuer":"MD0xCzAJBgNVBAYTAnh4MQowCAYDVQQIEwF4MQowCAYDVQQHEwF4MQowCAYDVQQKEwF4MQowCAYDVQQLEwF4","Signature":"A7yr798ptFwGMCsTyy5dy3OrCWBw20zdHaJ3bhuz13m9XYbrpCdpX7n1GKdiBkgMbi3nE2HngcjladYGjG+S7CBrdgVQ5pTDJIh9vS1B7L28ovOQqSaOwOUSRugFltlQQog48+b/CRTOqTJAURX1x/qcCIHuuQhPjE0kHH29f2iCKENtuj+xP97lBl+JOKQ1xvzuxjb8pBeNL9QwecuwwwU0OCVoiX8hpE+vU5nThixQJo8MVI1srxHsuKiXsfxBhJuUUHDL/Ysu7W2tcCu7MpDRp+bgxCxjxiCBAGuayB5tRVBTmWVaBC2mrFkuefcMvKIN/RKttXQzMp2/AZ3Z/w==","SignatureAlgorithm":4,"PublicKeyAlgorithm":1,"PublicKey":{"N":"26496562094779491076553211809422098021949952483515703281510813808490953126660362388109632773224118754702902108388229193869554055094778177099185065933983949693842239539154549752097759985799130804083586220803335221114269832081649712810220640441076536231140807229028981655981643835428138719795509959624793308640711388215921808921435203036357847686892066058381787405708754578605922703585581205444932036212009496723589206933777338978604488048677611723712498345752655171502746679687404543368933776929978831813434358099337112479727796701588293884856604804625411358577626503349165930794262171211166398339413648296787152727521","E":65537},"Version":3,"SerialNumber":520089955419326249038486015063014459614455897759,"Issuer":{"Country":["xx"],"Organization":["x"],"OrganizationalUnit":["x"],"Locality":["x"],"Province":["x"],"StreetAddress":null,"PostalCode":null,"SerialNumber":"","CommonName":"","Names":[{"Type":[2,5,4,6],"Value":"xx"},{"Type":[2,5,4,8],"Value":"x"},{"Type":[2,5,4,7],"Value":"x"},{"Type":[2,5,4,10],"Value":"x"},{"Type":[2,5,4,11],"Value":"x"}],"ExtraNames":null},"Subject":{"Country":["xx"],"Organization":["x"],"OrganizationalUnit":["x"],"Locality":["x"],"Province":["x"],"StreetAddress":null,"PostalCode":null,"SerialNumber":"","CommonName":"","Names":[{"Type":[2,5,4,6],"Value":"xx"},{"Type":[2,5,4,8],"Value":"x"},{"Type":[2,5,4,7],"Value":"x"},{"Type":[2,5,4,10],"Value":"x"},{"Type":[2,5,4,11],"Value":"x"}],"ExtraNames":null},"NotBefore":"2018-02-02T12:38:00Z","NotAfter":"2023-02-01T12:38:00Z","KeyUsage":96,"Extensions":[{"Id":[2,5,29,15],"Critical":true,"Value":"AwIBBg=="},{"Id":[2,5,29,19],"Critical":true,"Value":"MAMBAf8="},{"Id":[2,5,29,14],"Critical":false,"Value":"BBSl3G+dm7+qKpw/g/X0zRR2S/CFsQ=="}],"ExtraExtensions":null,"UnhandledCriticalExtensions":null,"ExtKeyUsage":null,"UnknownExtKeyUsage":null,"BasicConstraintsValid":true,"IsCA":true,"MaxPathLen":-1,"MaxPathLenZero":false,"SubjectKeyId":"pdxvnZu/qiqcP4P19M0UdkvwhbE=","AuthorityKeyId":null,"OCSPServer":null,"IssuingCertificateURL":null,"DNSNames":null,"EmailAddresses":null,"IPAddresses":null,"URIs":null,"PermittedDNSDomainsCritical":false,"PermittedDNSDomains":null,"ExcludedDNSDomains":null,"PermittedIPRanges":null,"ExcludedIPRanges":null,"PermittedEmailAddresses":null,"ExcludedEmailAddresses":null,"PermittedURIDomains":null,"ExcludedURIDomains":null,"CRLDistributionPoints":null,"PolicyIdentifiers":null}`, + `{"Raw":"MIIC7TCCAdWgAwIBAgIBADANBgkqhkiG9w0BAQsFADAYMRYwFAYDVQQDDA0qLmt5dmVybm8uc3ZjMB4XDTIyMDExMTEzMjY0M1oXDTIzMDExMTE0MjY0M1owGDEWMBQGA1UEAwwNKi5reXZlcm5vLnN2YzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMsAz85+yino+MmdKsVtHwNi3oAVjumzXHiLfUJK7xi5KU8B7goPHF/VCe/V7Y2c4afyfgY2ePw4LxSDkCYNgYwqjSwGIbcsqv5ZRazBdDxR09ri6PknNyBVGLi5RlPXIrGQ3psNuf55qwxJxLO31qCZuvktKY5YvuIR4JPmBhuSFXOnn0ZiQw8uxMcQ0QA2lz+PxWCVNk9q+31H5DH1oYZDLfU3mijIOA+AJGZbBb+ZwBmpVL0+2TXLxE74WowdKEV+WTsKojNTd0VwcuRKRKR/6ynXAAis21y1X7Ui9FJE6mDIylUD40WXOKGJ1lYY41kRnYhVhvXYN9JtNYdY3HsCAwEAAaNCMEAwDgYDVR0PAQH/BAQDAgKkMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFOnlASVD9fu3TAjptlW/gAXA4ql+MA0GCSqGSIb3DQEBCwUAA4IBAQCIpyRiChxp97crKfQ24Jt7z8P+AGpLf3sX4eL87ESa7QRoVJtXLmaut1pUEoYLQruKmh/0YFtZG9WxVgY6iuKbWnu7bOeMB/Ir+V/yrX3R+XvZOsuXiJnEbJiBW6lJzLldoW4f/71H+j1WD4tHpqmdMxq/sLqXfPIuc0/m0yFCn+ADBWGGB8Nn66vxtv+cT6p+RIVotXPQWbMilWp6pd5wSuB68FqrDwtYLNJtPwFs9MPVkuaJdYZ0eWd/rMcKD94Hgf89gvA0+qzMVFf+3BemXskjQRYy6CKsqoyC6jX4nhYjumAP/7psbzITsnpHtfCEEU+2JZwgM406aiMcsgLb","RawTBSCertificate":"MIIB1aADAgECAgEAMA0GCSqGSIb3DQEBCwUAMBgxFjAUBgNVBAMMDSoua3l2ZXJuby5zdmMwHhcNMjIwMTExMTMyNjQzWhcNMjMwMTExMTQyNjQzWjAYMRYwFAYDVQQDDA0qLmt5dmVybm8uc3ZjMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAywDPzn7KKej4yZ0qxW0fA2LegBWO6bNceIt9QkrvGLkpTwHuCg8cX9UJ79XtjZzhp/J+BjZ4/DgvFIOQJg2BjCqNLAYhtyyq/llFrMF0PFHT2uLo+Sc3IFUYuLlGU9cisZDemw25/nmrDEnEs7fWoJm6+S0pjli+4hHgk+YGG5IVc6efRmJDDy7ExxDRADaXP4/FYJU2T2r7fUfkMfWhhkMt9TeaKMg4D4AkZlsFv5nAGalUvT7ZNcvETvhajB0oRX5ZOwqiM1N3RXBy5EpEpH/rKdcACKzbXLVftSL0UkTqYMjKVQPjRZc4oYnWVhjjWRGdiFWG9dg30m01h1jcewIDAQABo0IwQDAOBgNVHQ8BAf8EBAMCAqQwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU6eUBJUP1+7dMCOm2Vb+ABcDiqX4=","RawSubjectPublicKeyInfo":"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAywDPzn7KKej4yZ0qxW0fA2LegBWO6bNceIt9QkrvGLkpTwHuCg8cX9UJ79XtjZzhp/J+BjZ4/DgvFIOQJg2BjCqNLAYhtyyq/llFrMF0PFHT2uLo+Sc3IFUYuLlGU9cisZDemw25/nmrDEnEs7fWoJm6+S0pjli+4hHgk+YGG5IVc6efRmJDDy7ExxDRADaXP4/FYJU2T2r7fUfkMfWhhkMt9TeaKMg4D4AkZlsFv5nAGalUvT7ZNcvETvhajB0oRX5ZOwqiM1N3RXBy5EpEpH/rKdcACKzbXLVftSL0UkTqYMjKVQPjRZc4oYnWVhjjWRGdiFWG9dg30m01h1jcewIDAQAB","RawSubject":"MBgxFjAUBgNVBAMMDSoua3l2ZXJuby5zdmM=","RawIssuer":"MBgxFjAUBgNVBAMMDSoua3l2ZXJuby5zdmM=","Signature":"iKckYgocafe3Kyn0NuCbe8/D/gBqS397F+Hi/OxEmu0EaFSbVy5mrrdaVBKGC0K7ipof9GBbWRvVsVYGOorim1p7u2znjAfyK/lf8q190fl72TrLl4iZxGyYgVupScy5XaFuH/+9R/o9Vg+LR6apnTMav7C6l3zyLnNP5tMhQp/gAwVhhgfDZ+ur8bb/nE+qfkSFaLVz0FmzIpVqeqXecErgevBaqw8LWCzSbT8BbPTD1ZLmiXWGdHlnf6zHCg/eB4H/PYLwNPqszFRX/twXpl7JI0EWMugirKqMguo1+J4WI7pgD/+6bG8yE7J6R7XwhBFPtiWcIDONOmojHLIC2w==","SignatureAlgorithm":4,"PublicKeyAlgorithm":1,"PublicKey":{"N":"25626776194299809103943925293022478779550111351090439168995035251396620593900589237452364135475983088162735720467798166985191488213022186077349821145857402701723499012699772423162550319145896535355752944351742979794245171828792388153331005254201525593934122190716637483002316913539755904599370968007653484768793099970920881706651907943367212661888776583428009130496820305182341702970575924538413569026902195901329094514102681440057150490032724791460671006772434362132998853498175356133386237155854830546292463707783883111067332118558636600306550854546869660051077649500890548685566726464348535891964886136890236394619","E":65537},"Version":3,"SerialNumber":0,"Issuer":{"Country":null,"Organization":null,"OrganizationalUnit":null,"Locality":null,"Province":null,"StreetAddress":null,"PostalCode":null,"SerialNumber":"","CommonName":"*.kyverno.svc","Names":[{"Type":[2,5,4,3],"Value":"*.kyverno.svc"}],"ExtraNames":null},"Subject":{"Country":null,"Organization":null,"OrganizationalUnit":null,"Locality":null,"Province":null,"StreetAddress":null,"PostalCode":null,"SerialNumber":"","CommonName":"*.kyverno.svc","Names":[{"Type":[2,5,4,3],"Value":"*.kyverno.svc"}],"ExtraNames":null},"NotBefore":"2022-01-11T13:26:43Z","NotAfter":"2023-01-11T14:26:43Z","KeyUsage":37,"Extensions":[{"Id":[2,5,29,15],"Critical":true,"Value":"AwICpA=="},{"Id":[2,5,29,19],"Critical":true,"Value":"MAMBAf8="},{"Id":[2,5,29,14],"Critical":false,"Value":"BBTp5QElQ/X7t0wI6bZVv4AFwOKpfg=="}],"ExtraExtensions":null,"UnhandledCriticalExtensions":null,"ExtKeyUsage":null,"UnknownExtKeyUsage":null,"BasicConstraintsValid":true,"IsCA":true,"MaxPathLen":-1,"MaxPathLenZero":false,"SubjectKeyId":"6eUBJUP1+7dMCOm2Vb+ABcDiqX4=","AuthorityKeyId":null,"OCSPServer":null,"IssuingCertificateURL":null,"DNSNames":null,"EmailAddresses":null,"IPAddresses":null,"URIs":null,"PermittedDNSDomainsCritical":false,"PermittedDNSDomains":null,"ExcludedDNSDomains":null,"PermittedIPRanges":null,"ExcludedIPRanges":null,"PermittedEmailAddresses":null,"ExcludedEmailAddresses":null,"PermittedURIDomains":null,"Policies":null,"ExcludedURIDomains":null,"CRLDistributionPoints":null,"PolicyIdentifiers":null}`, + `{"Raw":"MIIDSjCCAjKgAwIBAgIUWxmj40l+TDVJq98Xy7c6Leo3np8wDQYJKoZIhvcNAQELBQAwPTELMAkGA1UEBhMCeHgxCjAIBgNVBAgTAXgxCjAIBgNVBAcTAXgxCjAIBgNVBAoTAXgxCjAIBgNVBAsTAXgwHhcNMTgwMjAyMTIzODAwWhcNMjMwMjAxMTIzODAwWjA9MQswCQYDVQQGEwJ4eDEKMAgGA1UECBMBeDEKMAgGA1UEBxMBeDEKMAgGA1UEChMBeDEKMAgGA1UECxMBeDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANHkqOmVf23KMXdaZU2eFUx1h4wb09JINBB8x/HL7UE0KFJcnOoVnNQB0gRukUopiYCzrzMFyGWWmB/pAEKool+ZiI2uMy6mcYBDtOi4pOm7U0TQQMV6L/5Yfi65xRz3RTMd/tYAoFi4aCZbJAGjxU6UWNYDzTy8E/cP6ZnlNbVHRiA6/wHsoWcXtWTXYP5yn9cf7EWQi1hOBM4BWmOIyB1f6LEgQipZWMOMPPHO3hsuSBn0rk7jovSt5XTlbgRrtxqAJiNjJUykWzIF+lLnZCioippGv5vkdGvE83JoACXvZTUwzA+MLu49fkw3bweqkbhrer8kacjfGlw3aJN37eECAwEAAaNCMEAwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFKXcb52bv6oqnD+D9fTNFHZL8IWxMA0GCSqGSIb3DQEBCwUAA4IBAQADvKvv3ym0XAYwKxPLLl3Lc6sJYHDbTN0donduG7PXeb1dhuukJ2lfufUYp2IGSAxuLecTYeeByOVp1gaMb5LsIGt2BVDmlMMkiH29LUHsvbyi85CpJo7A5RJG6AWW2VBCiDjz5v8JFM6pMkBRFfXH+pwIge65CE+MTSQcfb1/aIIoQ226P7E/3uUGX4k4pDXG/O7GNvykF40v1DB5y7DDBTQ4JWiJfyGkT69TmdOGLFAmjwxUjWyvEey4qJex/EGEm5RQcMv9iy7tba1wK7sykNGn5uDELGPGIIEAa5rIHm1FUFOZZVoELaasWS559wy8og39Eq21dDMynb8Bndn/","RawTBSCertificate":"MIICMqADAgECAhRbGaPjSX5MNUmr3xfLtzot6jeenzANBgkqhkiG9w0BAQsFADA9MQswCQYDVQQGEwJ4eDEKMAgGA1UECBMBeDEKMAgGA1UEBxMBeDEKMAgGA1UEChMBeDEKMAgGA1UECxMBeDAeFw0xODAyMDIxMjM4MDBaFw0yMzAyMDExMjM4MDBaMD0xCzAJBgNVBAYTAnh4MQowCAYDVQQIEwF4MQowCAYDVQQHEwF4MQowCAYDVQQKEwF4MQowCAYDVQQLEwF4MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0eSo6ZV/bcoxd1plTZ4VTHWHjBvT0kg0EHzH8cvtQTQoUlyc6hWc1AHSBG6RSimJgLOvMwXIZZaYH+kAQqiiX5mIja4zLqZxgEO06Lik6btTRNBAxXov/lh+LrnFHPdFMx3+1gCgWLhoJlskAaPFTpRY1gPNPLwT9w/pmeU1tUdGIDr/AeyhZxe1ZNdg/nKf1x/sRZCLWE4EzgFaY4jIHV/osSBCKllYw4w88c7eGy5IGfSuTuOi9K3ldOVuBGu3GoAmI2MlTKRbMgX6UudkKKiKmka/m+R0a8TzcmgAJe9lNTDMD4wu7j1+TDdvB6qRuGt6vyRpyN8aXDdok3ft4QIDAQABo0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUpdxvnZu/qiqcP4P19M0UdkvwhbE=","RawSubjectPublicKeyInfo":"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0eSo6ZV/bcoxd1plTZ4VTHWHjBvT0kg0EHzH8cvtQTQoUlyc6hWc1AHSBG6RSimJgLOvMwXIZZaYH+kAQqiiX5mIja4zLqZxgEO06Lik6btTRNBAxXov/lh+LrnFHPdFMx3+1gCgWLhoJlskAaPFTpRY1gPNPLwT9w/pmeU1tUdGIDr/AeyhZxe1ZNdg/nKf1x/sRZCLWE4EzgFaY4jIHV/osSBCKllYw4w88c7eGy5IGfSuTuOi9K3ldOVuBGu3GoAmI2MlTKRbMgX6UudkKKiKmka/m+R0a8TzcmgAJe9lNTDMD4wu7j1+TDdvB6qRuGt6vyRpyN8aXDdok3ft4QIDAQAB","RawSubject":"MD0xCzAJBgNVBAYTAnh4MQowCAYDVQQIEwF4MQowCAYDVQQHEwF4MQowCAYDVQQKEwF4MQowCAYDVQQLEwF4","RawIssuer":"MD0xCzAJBgNVBAYTAnh4MQowCAYDVQQIEwF4MQowCAYDVQQHEwF4MQowCAYDVQQKEwF4MQowCAYDVQQLEwF4","Signature":"A7yr798ptFwGMCsTyy5dy3OrCWBw20zdHaJ3bhuz13m9XYbrpCdpX7n1GKdiBkgMbi3nE2HngcjladYGjG+S7CBrdgVQ5pTDJIh9vS1B7L28ovOQqSaOwOUSRugFltlQQog48+b/CRTOqTJAURX1x/qcCIHuuQhPjE0kHH29f2iCKENtuj+xP97lBl+JOKQ1xvzuxjb8pBeNL9QwecuwwwU0OCVoiX8hpE+vU5nThixQJo8MVI1srxHsuKiXsfxBhJuUUHDL/Ysu7W2tcCu7MpDRp+bgxCxjxiCBAGuayB5tRVBTmWVaBC2mrFkuefcMvKIN/RKttXQzMp2/AZ3Z/w==","SignatureAlgorithm":4,"PublicKeyAlgorithm":1,"PublicKey":{"N":"26496562094779491076553211809422098021949952483515703281510813808490953126660362388109632773224118754702902108388229193869554055094778177099185065933983949693842239539154549752097759985799130804083586220803335221114269832081649712810220640441076536231140807229028981655981643835428138719795509959624793308640711388215921808921435203036357847686892066058381787405708754578605922703585581205444932036212009496723589206933777338978604488048677611723712498345752655171502746679687404543368933776929978831813434358099337112479727796701588293884856604804625411358577626503349165930794262171211166398339413648296787152727521","E":65537},"Version":3,"SerialNumber":520089955419326249038486015063014459614455897759,"Issuer":{"Country":["xx"],"Organization":["x"],"OrganizationalUnit":["x"],"Locality":["x"],"Province":["x"],"StreetAddress":null,"PostalCode":null,"SerialNumber":"","CommonName":"","Names":[{"Type":[2,5,4,6],"Value":"xx"},{"Type":[2,5,4,8],"Value":"x"},{"Type":[2,5,4,7],"Value":"x"},{"Type":[2,5,4,10],"Value":"x"},{"Type":[2,5,4,11],"Value":"x"}],"ExtraNames":null},"Subject":{"Country":["xx"],"Organization":["x"],"OrganizationalUnit":["x"],"Locality":["x"],"Province":["x"],"StreetAddress":null,"PostalCode":null,"SerialNumber":"","CommonName":"","Names":[{"Type":[2,5,4,6],"Value":"xx"},{"Type":[2,5,4,8],"Value":"x"},{"Type":[2,5,4,7],"Value":"x"},{"Type":[2,5,4,10],"Value":"x"},{"Type":[2,5,4,11],"Value":"x"}],"ExtraNames":null},"NotBefore":"2018-02-02T12:38:00Z","NotAfter":"2023-02-01T12:38:00Z","KeyUsage":96,"Extensions":[{"Id":[2,5,29,15],"Critical":true,"Value":"AwIBBg=="},{"Id":[2,5,29,19],"Critical":true,"Value":"MAMBAf8="},{"Id":[2,5,29,14],"Critical":false,"Value":"BBSl3G+dm7+qKpw/g/X0zRR2S/CFsQ=="}],"ExtraExtensions":null,"UnhandledCriticalExtensions":null,"ExtKeyUsage":null,"UnknownExtKeyUsage":null,"BasicConstraintsValid":true,"IsCA":true,"MaxPathLen":-1,"MaxPathLenZero":false,"SubjectKeyId":"pdxvnZu/qiqcP4P19M0UdkvwhbE=","AuthorityKeyId":null,"OCSPServer":null,"IssuingCertificateURL":null,"DNSNames":null,"EmailAddresses":null,"IPAddresses":null,"URIs":null,"PermittedDNSDomainsCritical":false,"PermittedDNSDomains":null,"ExcludedDNSDomains":null,"PermittedIPRanges":null,"ExcludedIPRanges":null,"PermittedEmailAddresses":null,"ExcludedEmailAddresses":null,"PermittedURIDomains":null,"Policies":null,"ExcludedURIDomains":null,"CRLDistributionPoints":null,"PolicyIdentifiers":null}`, `{"Attributes": null,"DNSNames": null,"EmailAddresses": null,"Extensions": null,"ExtraExtensions": null,"IPAddresses": null,"PublicKey": {"E": 65537,"N": "30788787775499084229626026724118719872973907471499649646184775670914346180312671906399223325409590948519743636184795333482381888453996128329396648505249062053283056069530767359210562374203250761551376585013181653210719557451154530514423713570995019036786795900989905655136970670786111875127185122973524433496741842862203002594125711406631836733656561027033024624302759714504708249269624951711291364305004897900464453081676928894280743798888738608709381777168414778329993619693869221517193116446955833233290395600921852333943656575398427367952052258926688943219100950267027328710138285403327192731641778165311310576291"},"PublicKeyAlgorithm": 1,"Raw": "MIICvDCCAaQCAQAwdzELMAkGA1UEBhMCVVMxDTALBgNVBAgMBFV0YWgxDzANBgNVBAcMBkxpbmRvbjEWMBQGA1UECgwNRGlnaUNlcnQgSW5jLjERMA8GA1UECwwIRGlnaUNlcnQxHTAbBgNVBAMMFGV4YW1wbGUuZGlnaWNlcnQuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA8+To7d+2kPWeBv/orU3LVbJwDrSQbeKamCmowp5bqDxIwV20zqRb7APUOKYoVEFFOEQs6T6gImnIolhbiH6m4zgZ/CPvWBOkZc+c1Po2EmvBz+AD5sBdT5kzGQA6NbWyZGldxRthNLOs1efOhdnWFuhI162qmcflgpiIWDuwq4C9f+YkeJhNn9dF5+owm8cOQmDrV8NNdiTqin8q3qYAHHJRW28glJUCZkTZwIaSR6crBQ8TbYNE0dc+Caa3DOIkz1EOsHWzTx+n0zKfqcbgXi4DJx+C1bjptYPRBPZL8DAeWuA8ebudVT44yEp82G96/Ggcf7F33xMxe0yc+Xa6owIDAQABoAAwDQYJKoZIhvcNAQEFBQADggEBAB0kcrFccSmFDmxox0Ne01UIqSsDqHgL+XmHTXJwre6DhJSZwbvEtOK0G3+dr4Fs11WuUNt5qcLsx5a8uk4G6AKHMzuhLsJ7XZjgmQXGECpYQ4mC3yT3ZoCGpIXbw+iP3lmEEXgaQL0Tx5LFl/okKbKYwIqNiyKWOMj7ZR/wxWg/ZDGRs55xuoeLDJ/ZRFf9bI+IaCUd1YrfYcHIl3G87Av+r49YVwqRDT0VDV7uLgqn29XI1PpVUNCPQGn9p/eX6Qo7vpDaPybRtA2R7XLKjQaF9oXWeCUqy1hvJac9QFO297Ob1alpHPoZ7mWiEuJwjBPii6a9M9G30nUo39lBi1w=","RawSubject": "MHcxCzAJBgNVBAYTAlVTMQ0wCwYDVQQIDARVdGFoMQ8wDQYDVQQHDAZMaW5kb24xFjAUBgNVBAoMDURpZ2lDZXJ0IEluYy4xETAPBgNVBAsMCERpZ2lDZXJ0MR0wGwYDVQQDDBRleGFtcGxlLmRpZ2ljZXJ0LmNvbQ==","RawSubjectPublicKeyInfo": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA8+To7d+2kPWeBv/orU3LVbJwDrSQbeKamCmowp5bqDxIwV20zqRb7APUOKYoVEFFOEQs6T6gImnIolhbiH6m4zgZ/CPvWBOkZc+c1Po2EmvBz+AD5sBdT5kzGQA6NbWyZGldxRthNLOs1efOhdnWFuhI162qmcflgpiIWDuwq4C9f+YkeJhNn9dF5+owm8cOQmDrV8NNdiTqin8q3qYAHHJRW28glJUCZkTZwIaSR6crBQ8TbYNE0dc+Caa3DOIkz1EOsHWzTx+n0zKfqcbgXi4DJx+C1bjptYPRBPZL8DAeWuA8ebudVT44yEp82G96/Ggcf7F33xMxe0yc+Xa6owIDAQAB","RawTBSCertificateRequest": "MIIBpAIBADB3MQswCQYDVQQGEwJVUzENMAsGA1UECAwEVXRhaDEPMA0GA1UEBwwGTGluZG9uMRYwFAYDVQQKDA1EaWdpQ2VydCBJbmMuMREwDwYDVQQLDAhEaWdpQ2VydDEdMBsGA1UEAwwUZXhhbXBsZS5kaWdpY2VydC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDz5Ojt37aQ9Z4G/+itTctVsnAOtJBt4pqYKajCnluoPEjBXbTOpFvsA9Q4pihUQUU4RCzpPqAiaciiWFuIfqbjOBn8I+9YE6Rlz5zU+jYSa8HP4APmwF1PmTMZADo1tbJkaV3FG2E0s6zV586F2dYW6EjXraqZx+WCmIhYO7CrgL1/5iR4mE2f10Xn6jCbxw5CYOtXw012JOqKfyrepgAcclFbbyCUlQJmRNnAhpJHpysFDxNtg0TR1z4JprcM4iTPUQ6wdbNPH6fTMp+pxuBeLgMnH4LVuOm1g9EE9kvwMB5a4Dx5u51VPjjISnzYb3r8aBx/sXffEzF7TJz5drqjAgMBAAGgAA==","Signature": "HSRysVxxKYUObGjHQ17TVQipKwOoeAv5eYdNcnCt7oOElJnBu8S04rQbf52vgWzXVa5Q23mpwuzHlry6TgboAoczO6EuwntdmOCZBcYQKlhDiYLfJPdmgIakhdvD6I/eWYQReBpAvRPHksWX+iQpspjAio2LIpY4yPtlH/DFaD9kMZGznnG6h4sMn9lEV/1sj4hoJR3Vit9hwciXcbzsC/6vj1hXCpENPRUNXu4uCqfb1cjU+lVQ0I9Aaf2n95fpCju+kNo/JtG0DZHtcsqNBoX2hdZ4JSrLWG8lpz1AU7b3s5vVqWkc+hnuZaIS4nCME+KLpr0z0bfSdSjf2UGLXA==","SignatureAlgorithm": 3,"Subject": {"CommonName": "example.digicert.com","Country": ["US"],"ExtraNames": null,"Locality": ["Lindon"],"Names": [{"Type": [2,5,4,6],"Value": "US"},{"Type": [2,5,4,8],"Value": "Utah"},{"Type": [2,5,4,7],"Value": "Lindon"},{"Type": [2,5,4,10],"Value": "DigiCert Inc."},{"Type": [2,5,4,11],"Value": "DigiCert"},{"Type": [2,5,4,3],"Value": "example.digicert.com"}],"Organization": ["DigiCert Inc."],"OrganizationalUnit": ["DigiCert"],"PostalCode": null,"Province": ["Utah"],"SerialNumber": "","StreetAddress": null},"URIs": null,"Version": 0}`, } resExpected := make([]map[string]interface{}, 3) diff --git a/pkg/engine/policycontext/policy_context.go b/pkg/engine/policycontext/policy_context.go index fa1de4209bd6..07ef6d12ae67 100644 --- a/pkg/engine/policycontext/policy_context.go +++ b/pkg/engine/policycontext/policy_context.go @@ -138,6 +138,26 @@ func (c PolicyContext) Copy() engineapi.PolicyContext { return c.copy() } +func (c *PolicyContext) SetOperation(op kyvernov1.AdmissionOperation) error { + c.operation = op + if err := c.jsonContext.AddOperation(string(op)); err != nil { + return errors.Wrapf(err, "failed to replace old object in the JSON context") + } + return nil +} + +func (c *PolicyContext) SetResources(oldResource, newResource unstructured.Unstructured) error { + c.newResource = newResource + if err := c.jsonContext.AddResource(c.newResource.Object); err != nil { + return errors.Wrapf(err, "failed to replace object in the JSON context") + } + c.oldResource = oldResource + if err := c.jsonContext.AddOldResource(c.oldResource.Object); err != nil { + return errors.Wrapf(err, "failed to replace old object in the JSON context") + } + return nil +} + // Mutators func (c *PolicyContext) WithPolicy(policy kyvernov1.PolicyInterface) *PolicyContext { diff --git a/pkg/engine/utils/exceptions.go b/pkg/engine/utils/exceptions.go new file mode 100644 index 000000000000..de935d242d7c --- /dev/null +++ b/pkg/engine/utils/exceptions.go @@ -0,0 +1,167 @@ +package utils + +import ( + "github.com/go-logr/logr" + kyvernov1 "github.com/kyverno/kyverno/api/kyverno/v1" + kyvernov1beta1 "github.com/kyverno/kyverno/api/kyverno/v1beta1" + kyvernov2alpha1 "github.com/kyverno/kyverno/api/kyverno/v2alpha1" + kyvernov2beta1 "github.com/kyverno/kyverno/api/kyverno/v2beta1" + engineapi "github.com/kyverno/kyverno/pkg/engine/api" + datautils "github.com/kyverno/kyverno/pkg/utils/data" + matched "github.com/kyverno/kyverno/pkg/utils/match" + "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" + "k8s.io/apimachinery/pkg/runtime/schema" +) + +// MatchesException takes a list of exceptions and checks if there is an exception applies to the incoming resource. +// It returns the matched policy exception. +func MatchesException(polexs []*kyvernov2alpha1.PolicyException, policyContext engineapi.PolicyContext, logger logr.Logger) []kyvernov2alpha1.PolicyException { + var matchedExceptions []kyvernov2alpha1.PolicyException + gvk, subresource := policyContext.ResourceKind() + resource := policyContext.NewResource() + if resource.Object == nil { + resource = policyContext.OldResource() + } + for _, polex := range polexs { + match := checkMatchesResources( + resource, + polex.Spec.Match, + policyContext.NamespaceLabels(), + policyContext.AdmissionInfo(), + gvk, + subresource, + ) + if match { + matchedExceptions = append(matchedExceptions, *polex) + } + } + return matchedExceptions +} + +func checkMatchesResources( + resource unstructured.Unstructured, + statement kyvernov2beta1.MatchResources, + namespaceLabels map[string]string, + admissionInfo kyvernov1beta1.RequestInfo, + gvk schema.GroupVersionKind, + subresource string, +) bool { + if len(statement.Any) > 0 { + for _, rmr := range statement.Any { + if checkResourceFilter(rmr, resource, namespaceLabels, admissionInfo, gvk, subresource) { + return true + } + } + return false + } else if len(statement.All) > 0 { + for _, rmr := range statement.All { + if !checkResourceFilter(rmr, resource, namespaceLabels, admissionInfo, gvk, subresource) { + return false + } + } + return true + } + return false +} + +func checkResourceFilter( + statement kyvernov1.ResourceFilter, + resource unstructured.Unstructured, + namespaceLabels map[string]string, + admissionInfo kyvernov1beta1.RequestInfo, + gvk schema.GroupVersionKind, + subresource string, +) bool { + if statement.IsEmpty() { + return false + } + return checkResourceDescription(statement.ResourceDescription, resource, namespaceLabels, gvk, subresource) && + checkUserInfo(statement.UserInfo, admissionInfo) +} + +func checkResourceDescription( + conditionBlock kyvernov1.ResourceDescription, + resource unstructured.Unstructured, + namespaceLabels map[string]string, + gvk schema.GroupVersionKind, + subresource string, +) bool { + if len(conditionBlock.Kinds) > 0 { + if !matched.CheckKind(conditionBlock.Kinds, gvk, subresource, true) { + return false + } + } + if conditionBlock.Name != "" || len(conditionBlock.Names) > 0 { + resourceName := resource.GetName() + if resourceName == "" { + resourceName = resource.GetGenerateName() + } + if conditionBlock.Name != "" { + if !matched.CheckName(conditionBlock.Name, resourceName) { + return false + } + } + if len(conditionBlock.Names) > 0 { + noneMatch := true + for i := range conditionBlock.Names { + if matched.CheckName(conditionBlock.Names[i], resourceName) { + noneMatch = false + break + } + } + if noneMatch { + return false + } + } + } + if len(conditionBlock.Namespaces) > 0 { + if !matched.CheckNameSpace(conditionBlock.Namespaces, resource) { + return false + } + } + if len(conditionBlock.Annotations) > 0 { + if !matched.CheckAnnotations(conditionBlock.Annotations, resource.GetAnnotations()) { + return false + } + } + if conditionBlock.Selector != nil { + hasPassed, err := matched.CheckSelector(conditionBlock.Selector, resource.GetLabels()) + if err != nil { + return false + } else { + if !hasPassed { + return false + } + } + } + if conditionBlock.NamespaceSelector != nil && resource.GetKind() != "Namespace" && resource.GetKind() != "" { + hasPassed, err := matched.CheckSelector(conditionBlock.NamespaceSelector, namespaceLabels) + if err != nil { + return false + } else { + if !hasPassed { + return false + } + } + } + return true +} + +func checkUserInfo(userInfo kyvernov1.UserInfo, admissionInfo kyvernov1beta1.RequestInfo) bool { + if len(userInfo.Roles) > 0 { + if !datautils.SliceContains(userInfo.Roles, admissionInfo.Roles...) { + return false + } + } + if len(userInfo.ClusterRoles) > 0 { + if !datautils.SliceContains(userInfo.ClusterRoles, admissionInfo.ClusterRoles...) { + return false + } + } + if len(userInfo.Subjects) > 0 { + if !matched.CheckSubjects(userInfo.Subjects, admissionInfo.AdmissionUserInfo) { + return false + } + } + return true +} diff --git a/pkg/engine/utils/utils.go b/pkg/engine/utils/utils.go index 4f2d43b1de5c..74710f1b5789 100644 --- a/pkg/engine/utils/utils.go +++ b/pkg/engine/utils/utils.go @@ -105,5 +105,5 @@ func IsSameRuleResponse(r1 *engineapi.RuleResponse, r2 *engineapi.RuleResponse) func IsUpdateRequest(ctx engineapi.PolicyContext) bool { // is the OldObject and NewObject are available, the request is an UPDATE - return ctx.OldResource().Object != nil && ctx.NewResource().Object != nil + return (ctx.OldResource().Object != nil && ctx.NewResource().Object != nil) || ctx.Operation() == kyvernov1.Update } diff --git a/pkg/notary/notary_test.go b/pkg/notary/notary_test.go index 92cdd7bee3db..56151bd31c84 100644 --- a/pkg/notary/notary_test.go +++ b/pkg/notary/notary_test.go @@ -35,7 +35,7 @@ uOKpF5rWAruB5PCIrquamOejpXV9aQA/K2JQDuc0mcKz ) func TestExtractStatements(t *testing.T) { - imageRef := "jimnotarytest.azurecr.io/jim/net-monitor:v1" + imageRef := "ghcr.io/kyverno/test-verify-image:signed" ref, err := name.ParseReference(imageRef) assert.NilError(t, err) repoDesc, err := remote.Head(ref) diff --git a/pkg/notary/repository_test.go b/pkg/notary/repository_test.go index 090f434d8023..c13c10b2dddb 100644 --- a/pkg/notary/repository_test.go +++ b/pkg/notary/repository_test.go @@ -12,7 +12,7 @@ import ( ) var ( - imageRef = "jimnotarytest.azurecr.io/jim/net-monitor:v1" + imageRef = "ghcr.io/kyverno/test-verify-image:signed" ctx = context.Background() ) @@ -29,7 +29,7 @@ func TestResolve(t *testing.T) { desc, err := repositoryClient.Resolve(ctx, repoDesc.Digest.String()) assert.NilError(t, err) - assert.Equal(t, desc.Digest.String(), "sha256:ba7000206594c2d72c3ab550453004c0dc50961157e5ebd2fb8ea1890099d02d") + assert.Equal(t, desc.Digest.String(), "sha256:b31bfb4d0213f254d361e0079deaaebefa4f82ba7aa76ef82e90b4935ad5b105") assert.Equal(t, desc.MediaType, "application/vnd.docker.distribution.manifest.v2+json") } @@ -78,7 +78,6 @@ func TestFetchSignatureBlob(t *testing.T) { _, desc, err := repositoryClient.FetchSignatureBlob(ctx, v1ToOciSpecDescriptor(d)) assert.NilError(t, err) assert.Equal(t, desc.MediaType, "application/jose+json") - assert.Equal(t, desc.Digest.String(), "sha256:746134b09f89451497668c598857d87ca660bb3d0b888832235c460d8d2697f3") } } } diff --git a/pkg/pss/evaluate.go b/pkg/pss/evaluate.go index e83a37b10f16..d2f37dbca2bb 100644 --- a/pkg/pss/evaluate.go +++ b/pkg/pss/evaluate.go @@ -13,7 +13,7 @@ import ( ) // Evaluate Pod's specified containers only and get PSSCheckResults -func evaluatePSS(level *api.LevelVersion, pod corev1.Pod) (results []pssutils.PSSCheckResult) { +func EvaluatePSS(level *api.LevelVersion, pod corev1.Pod) (results []pssutils.PSSCheckResult) { checks := policy.DefaultChecks() var latestVersionCheck policy.VersionedCheck for _, check := range checks { @@ -84,7 +84,7 @@ func exemptKyvernoExclusion(defaultCheckResults, excludeCheckResults []pssutils. return newDefaultCheckResults } -func parseVersion(rule *kyvernov1.PodSecurity) (*api.LevelVersion, error) { +func ParseVersion(rule *kyvernov1.PodSecurity) (*api.LevelVersion, error) { // Get pod security admission version var apiVersion api.Version @@ -106,12 +106,12 @@ func parseVersion(rule *kyvernov1.PodSecurity) (*api.LevelVersion, error) { // EvaluatePod applies PSS checks to the pod and exempts controls specified in the rule func EvaluatePod(rule *kyvernov1.PodSecurity, pod *corev1.Pod) (bool, []pssutils.PSSCheckResult, error) { - levelVersion, err := parseVersion(rule) + levelVersion, err := ParseVersion(rule) if err != nil { return false, nil, err } - defaultCheckResults := evaluatePSS(levelVersion, *pod) + defaultCheckResults := EvaluatePSS(levelVersion, *pod) for _, exclude := range rule.Exclude { spec, matching := GetPodWithMatchingContainers(exclude, pod) @@ -119,12 +119,12 @@ func EvaluatePod(rule *kyvernov1.PodSecurity, pod *corev1.Pod) (bool, []pssutils switch { // exclude pod level checks case spec != nil: - excludeCheckResults := evaluatePSS(levelVersion, *spec) + excludeCheckResults := EvaluatePSS(levelVersion, *spec) defaultCheckResults = exemptKyvernoExclusion(defaultCheckResults, excludeCheckResults, exclude) // exclude container level checks default: - excludeCheckResults := evaluatePSS(levelVersion, *matching) + excludeCheckResults := EvaluatePSS(levelVersion, *matching) defaultCheckResults = exemptKyvernoExclusion(defaultCheckResults, excludeCheckResults, exclude) } } diff --git a/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-allow-existing-violations/README.md b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-allow-existing-violations/README.md new file mode 100644 index 000000000000..d91e5186229a --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-allow-existing-violations/README.md @@ -0,0 +1,13 @@ +## Description + +This test mainly verifies that an enforce validate policy blocks changes in old objects that were present before policy was created when `allowExistingViolations` is set to `false` + +## Expected Behavior + +1. A bad pod is created that violates the policy. +2. The policy is applied. +3. Violating changes in bad pod causes error becuase `allowExistingViolations` is set to `false` + +## Reference Issue(s) + +10084 diff --git a/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-allow-existing-violations/bad-pod-ready.yaml b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-allow-existing-violations/bad-pod-ready.yaml new file mode 100644 index 000000000000..8121c350a433 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-allow-existing-violations/bad-pod-ready.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: Pod +metadata: + name: badpod-allow-existing + namespace: default diff --git a/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-allow-existing-violations/bad-pod-update-test.sh b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-allow-existing-violations/bad-pod-update-test.sh new file mode 100755 index 000000000000..80f311769b1a --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-allow-existing-violations/bad-pod-update-test.sh @@ -0,0 +1,8 @@ +if kubectl label po badpod-allow-existing foo=bad1 --overwrite 2>&1 | grep -q "validation error: rule check-labels" +then + echo "Test succeed, updating violating preexisting resource does throw error" + exit 0 +else + echo "Test failed, updating violating preexisting resource should throw error" + exit 1 +fi diff --git a/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-allow-existing-violations/bad-pod.yaml b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-allow-existing-violations/bad-pod.yaml new file mode 100644 index 000000000000..1a80a58bac28 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-allow-existing-violations/bad-pod.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Pod +metadata: + name: badpod-allow-existing + namespace: default + labels: + foo: bad +spec: + containers: + - name: container01 + image: busybox:1.35 + args: + - sleep + - 1d diff --git a/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-allow-existing-violations/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-allow-existing-violations/chainsaw-test.yaml new file mode 100755 index 000000000000..f992a75aeb1c --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-allow-existing-violations/chainsaw-test.yaml @@ -0,0 +1,25 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: enforce-validate-existing +spec: + steps: + - name: step-01 + try: + - apply: + file: bad-pod.yaml + - assert: + file: bad-pod-ready.yaml + - name: step-02 + try: + - apply: + file: policy.yaml + - assert: + file: policy-ready.yaml + - name: step-03 + try: + - script: + content: ./bad-pod-update-test.sh + timeout: 30s + diff --git a/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-allow-existing-violations/policy-ready.yaml b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-allow-existing-violations/policy-ready.yaml new file mode 100644 index 000000000000..217cca6ae5b7 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-allow-existing-violations/policy-ready.yaml @@ -0,0 +1,4 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: check-labels-allow-existing diff --git a/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-allow-existing-violations/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-allow-existing-violations/policy.yaml new file mode 100644 index 000000000000..52322d11865a --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-allow-existing-violations/policy.yaml @@ -0,0 +1,22 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: check-labels-allow-existing +spec: + background: true + validationFailureAction: Enforce + rules: + - name: check-labels + match: + any: + - resources: + kinds: + - Pod + validate: + allowExistingViolations: false + deny: + conditions: + any: + - key: "{{ request.object.metadata.labels.foo || '' }}" + operator: NotEquals + value: 'bar' diff --git a/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-deny/README.md b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-deny/README.md new file mode 100644 index 000000000000..b80a44599252 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-deny/README.md @@ -0,0 +1,15 @@ +## Description + +This test mainly verifies that an enforce validate policy does not block changes in old objects that were present before policy was created + +## Expected Behavior + +1. A pod is created that violates the policy. +2. The policy is applied. +3. A pod is created that follows the policy. +4. Violating changes on bad pad does not cause error. +5. Violating changes in good pod causes error. +6. The bad pod once passed the policy, will be tracked by the policy and return error on bad changes. +## Reference Issue(s) + +8837 \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-deny/bad-pod-ready.yaml b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-deny/bad-pod-ready.yaml new file mode 100644 index 000000000000..bc6248a74045 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-deny/bad-pod-ready.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: Pod +metadata: + name: badpod-deny + namespace: default diff --git a/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-deny/bad-pod-update-test.sh b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-deny/bad-pod-update-test.sh new file mode 100755 index 000000000000..a5d61cb12f35 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-deny/bad-pod-update-test.sh @@ -0,0 +1,8 @@ +if kubectl label po badpod-deny foo=bad1 --overwrite 2>&1 | grep -q "validation error: rule check-labels" +then + echo "Test failed, updating violating preexisting resource should not throw error" + exit 1 +else + echo "Test succeed, updating violating preexisting resource does not throw error" + exit 0 +fi diff --git a/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-deny/bad-pod.yaml b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-deny/bad-pod.yaml new file mode 100644 index 000000000000..ca1e01c4f3d3 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-deny/bad-pod.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Pod +metadata: + name: badpod-deny + namespace: default + labels: + foo: bad +spec: + containers: + - name: container01 + image: busybox:1.35 + args: + - sleep + - 1d diff --git a/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-deny/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-deny/chainsaw-test.yaml new file mode 100755 index 000000000000..8074137604e7 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-deny/chainsaw-test.yaml @@ -0,0 +1,40 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: enforce-validate-existing +spec: + steps: + - name: step-01 + try: + - apply: + file: bad-pod.yaml + - assert: + file: bad-pod-ready.yaml + - name: step-02 + try: + - apply: + file: policy.yaml + - assert: + file: policy-ready.yaml + - name: step-03 + try: + - apply: + file: good-pod.yaml + - assert: + file: good-pod-ready.yaml + - name: step-04 + try: + - script: + content: ./bad-pod-update-test.sh + timeout: 30s + - name: step-05 + try: + - script: + content: ./good-pod-update-test.sh + timeout: 30s + - name: step-06 + try: + - script: + content: ./update-bad-pod-to-comply.sh + timeout: 30s diff --git a/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-deny/good-pod-ready.yaml b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-deny/good-pod-ready.yaml new file mode 100644 index 000000000000..3650580e3837 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-deny/good-pod-ready.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: Pod +metadata: + name: goodpod-deny + namespace: default diff --git a/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-deny/good-pod-update-test.sh b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-deny/good-pod-update-test.sh new file mode 100755 index 000000000000..142f25c21d6e --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-deny/good-pod-update-test.sh @@ -0,0 +1,8 @@ +if kubectl label po goodpod-deny foo=bad1 --overwrite 2>&1 | grep -q "validation error: rule check-labels" +then + echo "Test succeed, updating violating resource throws error" + exit 0 +else + echo "Test failed, updating violating resource did not throw error" + exit 1 +fi diff --git a/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-deny/good-pod.yaml b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-deny/good-pod.yaml new file mode 100644 index 000000000000..0f686b3bf4f2 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-deny/good-pod.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Pod +metadata: + name: goodpod-deny + namespace: default + labels: + foo: bar +spec: + containers: + - name: container01 + image: busybox:1.35 + args: + - sleep + - 1d diff --git a/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-deny/policy-ready.yaml b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-deny/policy-ready.yaml new file mode 100644 index 000000000000..b99900de5421 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-deny/policy-ready.yaml @@ -0,0 +1,4 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: check-labels-deny diff --git a/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-deny/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-deny/policy.yaml new file mode 100644 index 000000000000..a8342bf393d4 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-deny/policy.yaml @@ -0,0 +1,21 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: check-labels-deny +spec: + validationFailureAction: Enforce + background: true + rules: + - name: check-labels + match: + any: + - resources: + kinds: + - Pod + validate: + deny: + conditions: + any: + - key: "{{ request.object.metadata.labels.foo || '' }}" + operator: NotEquals + value: 'bar' diff --git a/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-deny/update-bad-pod-to-comply.sh b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-deny/update-bad-pod-to-comply.sh new file mode 100755 index 000000000000..ecb9628c9f10 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-deny/update-bad-pod-to-comply.sh @@ -0,0 +1,9 @@ +kubectl label po badpod-deny foo=bar --overwrite +if kubectl label po badpod-deny foo=bad1 --overwrite 2>&1 | grep -q "validation error: rule check-labels" +then + echo "Test succeed, updating violating resource throws error" + exit 0 +else + echo "Test failed, updating violating resource did not throw error" + exit 1 +fi diff --git a/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-pss/README.md b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-pss/README.md new file mode 100644 index 000000000000..5bdeb8018a9f --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-pss/README.md @@ -0,0 +1,17 @@ +## Description + +This test mainly verifies that an pss validate policy does not block changes in old objects that were present before policy was created + +## Expected Behavior + +1. A pod is created that violates the policy. +2. The policy is applied. +3. The bad pod is updated with a bad change, it is applied +4. The bad pod is made to comply +5. A bad change in that pod does not go through +6. A good pod is created +7. Violating changes in good pod causes error. + +## Reference Issue(s) + +8837 diff --git a/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-pss/bad-deploy-ready.yaml b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-pss/bad-deploy-ready.yaml new file mode 100644 index 000000000000..fef0b8c73e53 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-pss/bad-deploy-ready.yaml @@ -0,0 +1,6 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: bad-deployment + labels: + app: nginx diff --git a/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-pss/bad-deploy-update-comply.yaml b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-pss/bad-deploy-update-comply.yaml new file mode 100644 index 000000000000..9436cf473ed2 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-pss/bad-deploy-update-comply.yaml @@ -0,0 +1,41 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: bad-deployment + labels: + app: nginx +spec: + replicas: 1 + selector: + matchLabels: + app: nginx + template: + metadata: + labels: + app: nginx + spec: + securityContext: + runAsNonRoot: true + runAsUser: 1 + seccompProfile: + type: Localhost + localhostProfile: operator/default/profile1.json + hostNetwork: false + containers: + - name: nginx + image: ghcr.io/kyverno/test-nginx:dontpull + ports: + - containerPort: 80 + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + seccompProfile: + type: Localhost + localhostProfile: operator/default/profile1.json + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + + diff --git a/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-pss/bad-deploy-update-remove-comply.yaml b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-pss/bad-deploy-update-remove-comply.yaml new file mode 100644 index 000000000000..ee5352580497 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-pss/bad-deploy-update-remove-comply.yaml @@ -0,0 +1,40 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: bad-deployment + labels: + app: nginx +spec: + replicas: 1 + selector: + matchLabels: + app: nginx + template: + metadata: + labels: + app: nginx + spec: + securityContext: + runAsNonRoot: true + runAsUser: 1 + seccompProfile: + type: Localhost + localhostProfile: operator/default/profile1.json + containers: + - name: nginx + image: ghcr.io/kyverno/test-nginx:dontpull + ports: + - containerPort: 80 + securityContext: + allowPrivilegeEscalation: true + runAsNonRoot: true + seccompProfile: + type: Localhost + localhostProfile: operator/default/profile1.json + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + + diff --git a/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-pss/bad-deploy-update.yaml b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-pss/bad-deploy-update.yaml new file mode 100644 index 000000000000..b5cb70b0433c --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-pss/bad-deploy-update.yaml @@ -0,0 +1,35 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: bad-deployment + labels: + app: nginx +spec: + replicas: 1 + selector: + matchLabels: + app: nginx + template: + metadata: + labels: + app: nginx + spec: + securityContext: + runAsNonRoot: true + runAsUser: 1 + containers: + - name: nginx + image: ghcr.io/kyverno/test-nginx:dontpull-new-image + securityContext: + allowPrivilegeEscalation: true + runAsNonRoot: true + seccompProfile: + type: Localhost + localhostProfile: operator/default/profile1.json + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + + diff --git a/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-pss/bad-deploy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-pss/bad-deploy.yaml new file mode 100644 index 000000000000..7be7a35af449 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-pss/bad-deploy.yaml @@ -0,0 +1,39 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: bad-deployment + labels: + app: nginx +spec: + replicas: 1 + selector: + matchLabels: + app: nginx + template: + metadata: + labels: + app: nginx + spec: + securityContext: + runAsNonRoot: true + runAsUser: 1 + seccompProfile: + type: Localhost + localhostProfile: operator/default/profile1.json + containers: + - name: nginx + image: ghcr.io/kyverno/test-nginx:dontpull + ports: + - containerPort: 80 + securityContext: + allowPrivilegeEscalation: true + runAsNonRoot: true + seccompProfile: + type: Localhost + localhostProfile: operator/default/profile1.json + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + diff --git a/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-pss/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-pss/chainsaw-test.yaml new file mode 100755 index 000000000000..9e34cf238201 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-pss/chainsaw-test.yaml @@ -0,0 +1,45 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: enforce-validate-existing +spec: + steps: + - name: step-01 + try: + - apply: + file: bad-deploy.yaml + - assert: + file: bad-deploy-ready.yaml + - name: step-02 + try: + - apply: + file: policy.yaml + - assert: + file: policy-ready.yaml + - name: step-03 + try: + - apply: + file: bad-deploy-update.yaml + - name: step-04 + try: + - apply: + file: bad-deploy-update-comply.yaml + - name: step-05 + try: + - apply: + file: bad-deploy-update-remove-comply.yaml + expect: + - check: + ($error != `null`): true + - name: step-06 + try: + - apply: + file: good-deploy.yaml + - name: step-07 + try: + - apply: + file: good-deploy-update.yaml + expect: + - check: + ($error != `null`): true diff --git a/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-pss/good-deploy-ready.yaml b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-pss/good-deploy-ready.yaml new file mode 100644 index 000000000000..6d9e203586b7 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-pss/good-deploy-ready.yaml @@ -0,0 +1,6 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: good-deployment + labels: + app: nginx diff --git a/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-pss/good-deploy-update.yaml b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-pss/good-deploy-update.yaml new file mode 100644 index 000000000000..45485de220dd --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-pss/good-deploy-update.yaml @@ -0,0 +1,40 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: good-deployment + labels: + app: nginx +spec: + replicas: 1 + selector: + matchLabels: + app: nginx + template: + metadata: + labels: + app: nginx + spec: + securityContext: + runAsNonRoot: true + runAsUser: 1 + seccompProfile: + type: Localhost + localhostProfile: operator/default/profile1.json + hostNetwork: false + containers: + - name: nginx + image: ghcr.io/kyverno/test-nginx:dontpull + ports: + - containerPort: 80 + securityContext: + allowPrivilegeEscalation: true + runAsNonRoot: true + seccompProfile: + type: Localhost + localhostProfile: operator/default/profile1.json + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + diff --git a/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-pss/good-deploy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-pss/good-deploy.yaml new file mode 100644 index 000000000000..85e1933a0c81 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-pss/good-deploy.yaml @@ -0,0 +1,42 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: good-deployment + labels: + app: nginx +spec: + replicas: 1 + selector: + matchLabels: + app: nginx + template: + metadata: + labels: + app: nginx + spec: + securityContext: + runAsNonRoot: true + runAsUser: 1 + seccompProfile: + type: Localhost + localhostProfile: operator/default/profile1.json + hostNetwork: false + containers: + - name: nginx + image: ghcr.io/kyverno/test-nginx:dontpull + ports: + - containerPort: 80 + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + seccompProfile: + type: Localhost + localhostProfile: operator/default/profile1.json + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + + + diff --git a/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-pss/policy-ready.yaml b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-pss/policy-ready.yaml new file mode 100644 index 000000000000..a192a3f658ad --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-pss/policy-ready.yaml @@ -0,0 +1,4 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: podsecurity-subrule-baseline diff --git a/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-pss/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-pss/policy.yaml new file mode 100644 index 000000000000..ffa74cb5eca2 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing-pss/policy.yaml @@ -0,0 +1,19 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: podsecurity-subrule-baseline +spec: + background: true + validationFailureAction: Enforce + rules: + - name: baseline + match: + any: + - resources: + kinds: + - Pod + - Deployment + validate: + podSecurity: + level: restricted + version: latest diff --git a/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing/README.md b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing/README.md new file mode 100644 index 000000000000..b80a44599252 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing/README.md @@ -0,0 +1,15 @@ +## Description + +This test mainly verifies that an enforce validate policy does not block changes in old objects that were present before policy was created + +## Expected Behavior + +1. A pod is created that violates the policy. +2. The policy is applied. +3. A pod is created that follows the policy. +4. Violating changes on bad pad does not cause error. +5. Violating changes in good pod causes error. +6. The bad pod once passed the policy, will be tracked by the policy and return error on bad changes. +## Reference Issue(s) + +8837 \ No newline at end of file diff --git a/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing/bad-pod-ready.yaml b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing/bad-pod-ready.yaml new file mode 100644 index 000000000000..6237f13b1333 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing/bad-pod-ready.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: Pod +metadata: + name: badpod-validate-existing + namespace: default diff --git a/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing/bad-pod-update-test.sh b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing/bad-pod-update-test.sh new file mode 100755 index 000000000000..0b014f2f510b --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing/bad-pod-update-test.sh @@ -0,0 +1,8 @@ +if kubectl label po badpod-validate-existing foo=bad1 --overwrite 2>&1 | grep -q "validation error: rule check-labels" +then + echo "Test failed, updating violating preexisting resource should not throw error" + exit 1 +else + echo "Test succeed, updating violating preexisting resource does not throw error" + exit 0 +fi diff --git a/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing/bad-pod.yaml b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing/bad-pod.yaml new file mode 100644 index 000000000000..74872026de44 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing/bad-pod.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Pod +metadata: + name: badpod-validate-existing + namespace: default + labels: + foo: bad +spec: + containers: + - name: container01 + image: busybox:1.35 + args: + - sleep + - 1d diff --git a/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing/chainsaw-test.yaml b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing/chainsaw-test.yaml new file mode 100755 index 000000000000..8074137604e7 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing/chainsaw-test.yaml @@ -0,0 +1,40 @@ +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + creationTimestamp: null + name: enforce-validate-existing +spec: + steps: + - name: step-01 + try: + - apply: + file: bad-pod.yaml + - assert: + file: bad-pod-ready.yaml + - name: step-02 + try: + - apply: + file: policy.yaml + - assert: + file: policy-ready.yaml + - name: step-03 + try: + - apply: + file: good-pod.yaml + - assert: + file: good-pod-ready.yaml + - name: step-04 + try: + - script: + content: ./bad-pod-update-test.sh + timeout: 30s + - name: step-05 + try: + - script: + content: ./good-pod-update-test.sh + timeout: 30s + - name: step-06 + try: + - script: + content: ./update-bad-pod-to-comply.sh + timeout: 30s diff --git a/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing/good-pod-ready.yaml b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing/good-pod-ready.yaml new file mode 100644 index 000000000000..09cd254f5073 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing/good-pod-ready.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: Pod +metadata: + name: goodpod-validate-existing + namespace: default diff --git a/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing/good-pod-update-test.sh b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing/good-pod-update-test.sh new file mode 100755 index 000000000000..611bd8ee9df7 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing/good-pod-update-test.sh @@ -0,0 +1,8 @@ +if kubectl label po goodpod-validate-existing foo=bad1 --overwrite 2>&1 | grep -q "validation error: rule check-labels" +then + echo "Test succeed, updating violating resource throws error" + exit 0 +else + echo "Test failed, updating violating resource did not throw error" + exit 1 +fi diff --git a/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing/good-pod.yaml b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing/good-pod.yaml new file mode 100644 index 000000000000..917664364d31 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing/good-pod.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Pod +metadata: + name: goodpod-validate-existing + namespace: default + labels: + foo: bar +spec: + containers: + - name: container01 + image: busybox:1.35 + args: + - sleep + - 1d diff --git a/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing/policy-ready.yaml b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing/policy-ready.yaml new file mode 100644 index 000000000000..e8be2f369bf9 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing/policy-ready.yaml @@ -0,0 +1,4 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: check-labels-validate-existing diff --git a/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing/policy.yaml b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing/policy.yaml new file mode 100644 index 000000000000..b9b3784b6778 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing/policy.yaml @@ -0,0 +1,19 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: check-labels-validate-existing +spec: + validationFailureAction: Enforce + background: true + rules: + - name: check-labels + match: + any: + - resources: + kinds: + - Pod + validate: + pattern: + metadata: + labels: + =(foo): "bar" diff --git a/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing/update-bad-pod-to-comply.sh b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing/update-bad-pod-to-comply.sh new file mode 100755 index 000000000000..27437a10d640 --- /dev/null +++ b/test/conformance/chainsaw/validate/clusterpolicy/enforce/enforce-validate-existing/update-bad-pod-to-comply.sh @@ -0,0 +1,9 @@ +kubectl label po badpod-validate-existing foo=bar --overwrite +if kubectl label po badpod-validate-existing foo=bad1 --overwrite 2>&1 | grep -q "validation error: rule check-labels" +then + echo "Test succeed, updating violating resource throws error" + exit 0 +else + echo "Test failed, updating violating resource did not throw error" + exit 1 +fi diff --git a/test/conformance/kuttl/custom-sigstore/standard/basic/01-manifest.yaml b/test/conformance/kuttl/custom-sigstore/standard/basic/01-manifest.yaml index 1cde6b52f7a4..dd95568e6f4b 100644 --- a/test/conformance/kuttl/custom-sigstore/standard/basic/01-manifest.yaml +++ b/test/conformance/kuttl/custom-sigstore/standard/basic/01-manifest.yaml @@ -32,7 +32,7 @@ spec: entries: - keyless: issuer: "https://kubernetes.default.svc.cluster.local" - subject: "*" + subject: "https://kubernetes.io/namespaces/default/serviceaccounts/default" rekor: url: "{{ tufvalues.data.REKOR_URL }}" required: true \ No newline at end of file