v1alpha1

package
v1.14.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 24, 2025 License: Apache-2.0 Imports: 12 Imported by: 4

Documentation

Overview

+k8s:deepcopy-gen=package +kubebuilder:object:generate=true +groupName=policies.kyverno.io

Index

Constants

View Source 
const GroupName = "policies.kyverno.io"

GroupName specifies the group name used to register the objects.

Variables

View Source 
var (
	// localSchemeBuilder and AddToScheme will stay in k8s.io/kubernetes.
	SchemeBuilder runtime.SchemeBuilder

	// Depreciated: use Install instead
	AddToScheme = localSchemeBuilder.AddToScheme
	Install     = localSchemeBuilder.AddToScheme
)
View Source 
var GroupVersion = v1.GroupVersion{Group: GroupName, Version: "v1alpha1"}

GroupVersion specifies the group and the version used to register the objects.

View Source 
var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"}

SchemeGroupVersion is group version used to register these objects Deprecated: use GroupVersion instead.

Functions

func RegisterDefaults 

func RegisterDefaults(scheme *runtime.Scheme) error

RegisterDefaults adds defaulters functions to the given scheme. Public to allow building arbitrary schemes. All generated defaulters are covering - they call all nested defaulters.

func Resource 

func Resource(resource string) schema.GroupResource

Resource takes an unqualified resource and returns a Group qualified GroupResource

Types

type AdmissionConfiguration 

type AdmissionConfiguration struct {
	// Enabled controls if rules are applied during admission.
	// Optional. Default value is "true".
	// +optional
	// +kubebuilder:default=true
	Enabled *bool `json:"enabled,omitempty"`
}

func (*AdmissionConfiguration) DeepCopy 

func (in *AdmissionConfiguration) DeepCopy() *AdmissionConfiguration

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AdmissionConfiguration.

func (*AdmissionConfiguration) DeepCopyInto 

func (in *AdmissionConfiguration) DeepCopyInto(out *AdmissionConfiguration)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type Attestation 

type Attestation struct {
	// Name is the name for this attestation. It is used to refer to the attestation in verification
	Name string `json:"name"`

	// InToto defines the details of attestation attached using intoto format
	// +optional
	InToto *InToto `json:"intoto,omitempty"`

	// Referrer defines the details of attestation attached using OCI 1.1 format
	// +optional
	Referrer *Referrer `json:"referrer,omitempty"`
}

Attestation defines the identification details of the metadata that has to be verified

func (*Attestation) DeepCopy 

func (in *Attestation) DeepCopy() *Attestation

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Attestation.

func (*Attestation) DeepCopyInto 

func (in *Attestation) DeepCopyInto(out *Attestation)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (Attestation) GetKey 

func (a Attestation) GetKey() string

func (Attestation) IsInToto 

func (a Attestation) IsInToto() bool

func (Attestation) IsReferrer 

func (a Attestation) IsReferrer() bool

type Attestor 

type Attestor struct {
	// Name is the name for this attestor. It is used to refer to the attestor in verification
	Name string `json:"name"`
	// Cosign defines attestor configuration for Cosign based signatures
	// +optional
	Cosign *Cosign `json:"cosign,omitempty"`
	// Notary defines attestor configuration for Notary based signatures
	// +optional
	Notary *Notary `json:"notary,omitempty"`
}

Attestor is an identity that confirms or verifies the authenticity of an image or an attestation

func (Attestor) ConvertToNative 

func (v Attestor) ConvertToNative(typeDesc reflect.Type) (any, error)

func (Attestor) ConvertToType 

func (v Attestor) ConvertToType(typeVal ref.Type) ref.Val

func (*Attestor) DeepCopy 

func (in *Attestor) DeepCopy() *Attestor

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Attestor.

func (*Attestor) DeepCopyInto 

func (in *Attestor) DeepCopyInto(out *Attestor)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (Attestor) Equal 

func (v Attestor) Equal(other ref.Val) ref.Val

func (Attestor) GetKey 

func (a Attestor) GetKey() string

func (Attestor) IsCosign 

func (a Attestor) IsCosign() bool

func (Attestor) IsNotary 

func (a Attestor) IsNotary() bool

func (Attestor) Type 

func (v Attestor) Type() ref.Type

func (Attestor) Value 

func (v Attestor) Value() any

type BackgroundConfiguration 

type BackgroundConfiguration struct {
	// Enabled controls if rules are applied to existing resources during a background scan.
	// Optional. Default value is "true". The value must be set to "false" if the policy rule
	// uses variables that are only available in the admission review request (e.g. user name).
	// +optional
	// +kubebuilder:default=true
	Enabled *bool `json:"enabled,omitempty"`
}

func (*BackgroundConfiguration) DeepCopy 

func (in *BackgroundConfiguration) DeepCopy() *BackgroundConfiguration

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BackgroundConfiguration.

func (*BackgroundConfiguration) DeepCopyInto 

func (in *BackgroundConfiguration) DeepCopyInto(out *BackgroundConfiguration)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type CTLog 

type CTLog struct {
	// URL sets the url to the rekor instance (by default the public rekor.sigstore.dev)
	// +optional
	URL string `json:"url,omitempty"`
	// RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.
	// If set, this will be used to validate transparency log signatures from a custom Rekor.
	// +optional
	RekorPubKey string `json:"rekorPubKey,omitempty"`
	// CTLogPubKey, if set, is used to validate SCTs against a custom source.
	// +optional
	CTLogPubKey string `json:"ctLogPubKey,omitempty"`
	// TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must
	// contain the root CA certificate. Optionally may contain intermediate CA certificates, and
	// may contain the leaf TSA certificate if not present in the timestamurce.
	// +optional
	TSACertChain string `json:"tsaCertChain,omitempty"`
	// InsecureIgnoreTlog skips transparency log verification.
	// +optional
	InsecureIgnoreTlog bool `json:"insecureIgnoreTlog,omitempty"`
	// IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate
	// timestamp. Default is false. Set to true if this was opted out during signing.
	// +optional
	InsecureIgnoreSCT bool `json:"insecureIgnoreSCT,omitempty"`
}

CTLog sets the configuration to verify the authority against a Rekor instance.

func (*CTLog) DeepCopy 

func (in *CTLog) DeepCopy() *CTLog

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CTLog.

func (*CTLog) DeepCopyInto 

func (in *CTLog) DeepCopyInto(out *CTLog)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type Certificate 

type Certificate struct {
	// Certificate is the to the public certificate for local signature verification.
	// +optional
	Certificate *StringOrExpression `json:"cert,omitempty"`
	// CertificateChain is the list of CA certificates in PEM format which will be needed
	// when building the certificate chain for the signing certificate. Must start with the
	// parent intermediate CA certificate of the signing certificate and end with the root certificate
	// +optional
	CertificateChain *StringOrExpression `json:"certChain,omitempty"`
}

Certificate defines the configuration for local signature verification

func (*Certificate) DeepCopy 

func (in *Certificate) DeepCopy() *Certificate

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Certificate.

func (*Certificate) DeepCopyInto 

func (in *Certificate) DeepCopyInto(out *Certificate)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type ConditionStatus 

type ConditionStatus struct {
	// The ready of a policy is a high-level summary of where the policy is in its lifecycle.
	// The conditions array, the reason and message fields contain more detail about the policy's status.
	// +optional
	Ready *bool `json:"ready,omitempty"`

	// +optional
	Conditions []metav1.Condition `json:"conditions,omitempty"`

	// Message is a human readable message indicating details about the generation of ValidatingAdmissionPolicy/MutatingAdmissionPolicy
	// It is an empty string when ValidatingAdmissionPolicy/MutatingAdmissionPolicy is successfully generated.
	// +optional
	Message string `json:"message"`
}

ConditionStatus is the shared status across all policy types

func (*ConditionStatus) DeepCopy 

func (in *ConditionStatus) DeepCopy() *ConditionStatus

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ConditionStatus.

func (*ConditionStatus) DeepCopyInto 

func (in *ConditionStatus) DeepCopyInto(out *ConditionStatus)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (ConditionStatus) IsReady 

func (status ConditionStatus) IsReady() bool

func (*ConditionStatus) SetReadyByCondition 

func (status *ConditionStatus) SetReadyByCondition(c PolicyConditionType, s metav1.ConditionStatus, message string)

type Cosign 

type Cosign struct {
	// Key defines the type of key to validate the image.
	// +optional
	Key *Key `json:"key,omitempty"`
	// Keyless sets the configuration to verify the authority against a Fulcio instance.
	// +optional
	Keyless *Keyless `json:"keyless,omitempty"`
	// Certificate defines the configuration for local signature verification
	// +optional
	Certificate *Certificate `json:"certificate,omitempty"`
	// Sources sets the configuration to specify the sources from where to consume the signature and attestations.
	// +optional
	Source *Source `json:"source,omitempty"`
	// CTLog sets the configuration to verify the authority against a Rekor instance.
	// +optional
	CTLog *CTLog `json:"ctlog,omitempty"`
	// TUF defines the configuration to fetch sigstore root
	// +optional
	TUF *TUF `json:"tuf,omitempty"`
	// Annotations are used for image verification.
	// Every specified key-value pair must exist and match in the verified payload.
	// The payload may contain other key-value pairs.
	// +optional
	Annotations map[string]string `json:"annotations,omitempty"`
}

Cosign defines attestor configuration for Cosign based signatures

func (*Cosign) DeepCopy 

func (in *Cosign) DeepCopy() *Cosign

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Cosign.

func (*Cosign) DeepCopyInto 

func (in *Cosign) DeepCopyInto(out *Cosign)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type Credentials 

type Credentials struct {
	// AllowInsecureRegistry allows insecure access to a registry.
	// +optional
	AllowInsecureRegistry bool `json:"allowInsecureRegistry,omitempty"`

	// Providers specifies a list of OCI Registry names, whose authentication providers are provided.
	// It can be of one of these values: default,google,azure,amazon,github.
	// +optional
	Providers []CredentialsProvidersType `json:"providers,omitempty"`

	// Secrets specifies a list of secrets that are provided for credentials.
	// Secrets must live in the Kyverno namespace.
	// +optional
	Secrets []string `json:"secrets,omitempty"`
}

func (*Credentials) DeepCopy 

func (in *Credentials) DeepCopy() *Credentials

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Credentials.

func (*Credentials) DeepCopyInto 

func (in *Credentials) DeepCopyInto(out *Credentials)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type CredentialsProvidersType 

type CredentialsProvidersType string

CredentialsProvidersType provides the list of credential providers required. +kubebuilder:validation:Enum=default;amazon;azure;google;github 

const (
	DEFAULT CredentialsProvidersType = "default"
	AWS     CredentialsProvidersType = "amazon"
	ACR     CredentialsProvidersType = "azure"
	GCP     CredentialsProvidersType = "google"
	GHCR    CredentialsProvidersType = "github"
)

type EvaluationConfiguration 

type EvaluationConfiguration struct {
	// Mode is the mode of policy evaluation.
	// Allowed values are "Kubernetes" or "JSON".
	// Optional. Default value is "Kubernetes".
	// +optional
	Mode EvaluationMode `json:"mode,omitempty"`

	// Admission controls policy evaluation during admission.
	// +optional
	Admission *AdmissionConfiguration `json:"admission,omitempty"`

	// Background  controls policy evaluation during background scan.
	// +optional
	Background *BackgroundConfiguration `json:"background,omitempty"`
}

func (*EvaluationConfiguration) DeepCopy 

func (in *EvaluationConfiguration) DeepCopy() *EvaluationConfiguration

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EvaluationConfiguration.

func (*EvaluationConfiguration) DeepCopyInto 

func (in *EvaluationConfiguration) DeepCopyInto(out *EvaluationConfiguration)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type EvaluationMode 

type EvaluationMode string
const (
	EvaluationModeKubernetes EvaluationMode = "Kubernetes"
	EvaluationModeJSON       EvaluationMode = "JSON"
)

type GenericPolicy 

type GenericPolicy interface {
	metav1.Object
	GetMatchConstraints() admissionregistrationv1.MatchResources
	GetMatchConditions() []admissionregistrationv1.MatchCondition
	GetFailurePolicy() admissionregistrationv1.FailurePolicyType
	GetWebhookConfiguration() *WebhookConfiguration
	GetVariables() []admissionregistrationv1.Variable
}

+kubebuilder:object:generate=false

type Identity 

type Identity struct {
	// Issuer defines the issuer for this identity.
	// +optional
	Issuer string `json:"issuer,omitempty"`
	// Subject defines the subject for this identity.
	// +optional
	Subject string `json:"subject,omitempty"`
	// IssuerRegExp specifies a regular expression to match the issuer for this identity.
	// +optional
	IssuerRegExp string `json:"issuerRegExp,omitempty"`
	// SubjectRegExp specifies a regular expression to match the subject for this identity.
	// +optional
	SubjectRegExp string `json:"subjectRegExp,omitempty"`
}

Identity may contain the issuer and/or the subject found in the transparency log. Issuer/Subject uses a strict match, while IssuerRegExp and SubjectRegExp apply a regexp for matching.

func (*Identity) DeepCopy 

func (in *Identity) DeepCopy() *Identity

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Identity.

func (*Identity) DeepCopyInto 

func (in *Identity) DeepCopyInto(out *Identity)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type Image 

type Image struct {
	// Name is the name for this imageList. It is used to refer to the images in verification block as images.<name>
	Name string `json:"name"`

	// Expression defines CEL expression to extract images from the resource.
	Expression string `json:"expression"`
}

func (*Image) DeepCopy 

func (in *Image) DeepCopy() *Image

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Image.

func (*Image) DeepCopyInto 

func (in *Image) DeepCopyInto(out *Image)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type ImageValidatingPolicy 

type ImageValidatingPolicy struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`
	Spec              ImageValidatingPolicySpec `json:"spec"`
	// Status contains policy runtime data.
	// +optional
	Status ImageValidatingPolicyStatus `json:"status,omitempty"`
}

func (ImageValidatingPolicy) BackgroundEnabled 

func (s ImageValidatingPolicy) BackgroundEnabled() bool

BackgroundEnabled checks if background is set to true

func (*ImageValidatingPolicy) DeepCopy 

func (in *ImageValidatingPolicy) DeepCopy() *ImageValidatingPolicy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImageValidatingPolicy.

func (*ImageValidatingPolicy) DeepCopyInto 

func (in *ImageValidatingPolicy) DeepCopyInto(out *ImageValidatingPolicy)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*ImageValidatingPolicy) DeepCopyObject 

func (in *ImageValidatingPolicy) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

func (*ImageValidatingPolicy) GetFailurePolicy 

func (s *ImageValidatingPolicy) GetFailurePolicy() admissionregistrationv1.FailurePolicyType

func (*ImageValidatingPolicy) GetKind 

func (s *ImageValidatingPolicy) GetKind() string

func (*ImageValidatingPolicy) GetMatchConditions 

func (s *ImageValidatingPolicy) GetMatchConditions() []admissionregistrationv1.MatchCondition

func (*ImageValidatingPolicy) GetMatchConstraints 

func (s *ImageValidatingPolicy) GetMatchConstraints() admissionregistrationv1.MatchResources

func (*ImageValidatingPolicy) GetSpec 

func (s *ImageValidatingPolicy) GetSpec() *ImageValidatingPolicySpec

func (*ImageValidatingPolicy) GetStatus 

func (s *ImageValidatingPolicy) GetStatus() *ImageValidatingPolicyStatus

func (*ImageValidatingPolicy) GetVariables 

func (s *ImageValidatingPolicy) GetVariables() []admissionregistrationv1.Variable

func (*ImageValidatingPolicy) GetWebhookConfiguration 

func (s *ImageValidatingPolicy) GetWebhookConfiguration() *WebhookConfiguration

type ImageValidatingPolicyAutogen 

type ImageValidatingPolicyAutogen struct {
	Spec *ImageValidatingPolicySpec `json:"spec"`
}

func (*ImageValidatingPolicyAutogen) DeepCopy 

func (in *ImageValidatingPolicyAutogen) DeepCopy() *ImageValidatingPolicyAutogen

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImageValidatingPolicyAutogen.

func (*ImageValidatingPolicyAutogen) DeepCopyInto 

func (in *ImageValidatingPolicyAutogen) DeepCopyInto(out *ImageValidatingPolicyAutogen)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type ImageValidatingPolicyAutogenConfiguration 

type ImageValidatingPolicyAutogenConfiguration struct {
	// PodControllers specifies whether to generate a pod controllers rules.
	PodControllers *PodControllersGenerationConfiguration `json:"podControllers,omitempty"`
}

func (*ImageValidatingPolicyAutogenConfiguration) DeepCopy 

func (in *ImageValidatingPolicyAutogenConfiguration) DeepCopy() *ImageValidatingPolicyAutogenConfiguration

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImageValidatingPolicyAutogenConfiguration.

func (*ImageValidatingPolicyAutogenConfiguration) DeepCopyInto 

func (in *ImageValidatingPolicyAutogenConfiguration) DeepCopyInto(out *ImageValidatingPolicyAutogenConfiguration)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type ImageValidatingPolicyAutogenStatus 

type ImageValidatingPolicyAutogenStatus struct {
	Configs map[string]ImageValidatingPolicyAutogen `json:"configs,omitempty"`
}

func (*ImageValidatingPolicyAutogenStatus) DeepCopy 

func (in *ImageValidatingPolicyAutogenStatus) DeepCopy() *ImageValidatingPolicyAutogenStatus

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImageValidatingPolicyAutogenStatus.

func (*ImageValidatingPolicyAutogenStatus) DeepCopyInto 

func (in *ImageValidatingPolicyAutogenStatus) DeepCopyInto(out *ImageValidatingPolicyAutogenStatus)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type ImageValidatingPolicyList 

type ImageValidatingPolicyList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata"`
	Items           []ImageValidatingPolicy `json:"items"`
}

ImageValidatingPolicyList is a list of ImageValidatingPolicy instances

func (*ImageValidatingPolicyList) DeepCopy 

func (in *ImageValidatingPolicyList) DeepCopy() *ImageValidatingPolicyList

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImageValidatingPolicyList.

func (*ImageValidatingPolicyList) DeepCopyInto 

func (in *ImageValidatingPolicyList) DeepCopyInto(out *ImageValidatingPolicyList)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*ImageValidatingPolicyList) DeepCopyObject 

func (in *ImageValidatingPolicyList) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type ImageValidatingPolicySpec 

type ImageValidatingPolicySpec struct {
	// MatchConstraints specifies what resources this policy is designed to validate.
	// +optional
	MatchConstraints *admissionregistrationv1.MatchResources `json:"matchConstraints"`

	// FailurePolicy defines how to handle failures for the admission policy. Failures can
	// occur from CEL expression parse errors, type check errors, runtime errors and invalid
	// or mis-configured policy definitions or bindings.
	// +optional
	// +kubebuilder:validation:Enum=Ignore;Fail
	FailurePolicy *admissionregistrationv1.FailurePolicyType `json:"failurePolicy"`

	// ValidationAction specifies the action to be taken when the matched resource violates the policy.
	// Required.
	// +listType=set
	// +kubebuilder:validation:items:Enum=Deny;Audit;Warn
	ValidationAction []admissionregistrationv1.ValidationAction `json:"validationActions,omitempty"`

	// MatchConditions is a list of conditions that must be met for a request to be validated.
	// Match conditions filter requests that have already been matched by the rules,
	// namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests.
	// There are a maximum of 64 match conditions allowed.
	// +optional
	MatchConditions []admissionregistrationv1.MatchCondition `json:"matchConditions,omitempty"`

	// Variables contain definitions of variables that can be used in composition of other expressions.
	// Each variable is defined as a named CEL expression.
	// +optional
	Variables []admissionregistrationv1.Variable `json:"variables,omitempty"`

	// ValidationConfigurations defines settings for mutating and verifying image digests, and enforcing image verification through signatures.
	// +optional
	// +kubebuilder:default={}
	ValidationConfigurations ValidationConfiguration `json:"validationConfigurations"`

	// MatchImageReferences is a list of Glob and CELExpressions to match images.
	// Any image that matches one of the rules is considered for validation
	// Any image that does not match a rule is skipped, even when they are passed as arguments to
	// image verification functions
	// +optional
	MatchImageReferences []MatchImageReference `json:"matchImageReferences"`

	// Credentials provides credentials that will be used for authentication with registry.
	// +kubebuilder:validation:Optional
	Credentials *Credentials `json:"credentials,omitempty"`

	// Images is a list of CEL expression to extract images from the resource
	// +optional
	Images []Image `json:"images,omitempty"`

	// Attestors provides a list of trusted authorities.
	Attestors []Attestor `json:"attestors"`

	// Attestations provides a list of image metadata to verify
	// +optional
	Attestations []Attestation `json:"attestations"`

	// Validations contain CEL expressions which is used to apply the image validation checks.
	// +listType=atomic
	Validations []admissionregistrationv1.Validation `json:"validations"`

	// WebhookConfiguration defines the configuration for the webhook.
	// +optional
	WebhookConfiguration *WebhookConfiguration `json:"webhookConfiguration,omitempty"`

	// EvaluationConfiguration defines the configuration for the policy evaluation.
	// +optional
	EvaluationConfiguration *EvaluationConfiguration `json:"evaluation,omitempty"`

	// AutogenConfiguration defines the configuration for the generation controller.
	// +optional
	AutogenConfiguration *ImageValidatingPolicyAutogenConfiguration `json:"autogen,omitempty"`
}

ImageValidatingPolicySpec is the specification of the desired behavior of the ImageValidatingPolicy.

func (ImageValidatingPolicySpec) AdmissionEnabled 

func (s ImageValidatingPolicySpec) AdmissionEnabled() bool

AdmissionEnabled checks if admission is set to true

func (ImageValidatingPolicySpec) BackgroundEnabled 

func (s ImageValidatingPolicySpec) BackgroundEnabled() bool

BackgroundEnabled checks if background is set to true

func (*ImageValidatingPolicySpec) DeepCopy 

func (in *ImageValidatingPolicySpec) DeepCopy() *ImageValidatingPolicySpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImageValidatingPolicySpec.

func (*ImageValidatingPolicySpec) DeepCopyInto 

func (in *ImageValidatingPolicySpec) DeepCopyInto(out *ImageValidatingPolicySpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (ImageValidatingPolicySpec) EvaluationMode 

func (s ImageValidatingPolicySpec) EvaluationMode() EvaluationMode

EvaluationMode returns the evaluation mode of the policy.

func (ImageValidatingPolicySpec) ValidationActions 

func (s ImageValidatingPolicySpec) ValidationActions() []admissionregistrationv1.ValidationAction

ValidationActions returns the validation actions.

type ImageValidatingPolicyStatus 

type ImageValidatingPolicyStatus struct {
	// +optional
	ConditionStatus ConditionStatus `json:"conditionStatus,omitempty"`

	// +optional
	Autogen ImageValidatingPolicyAutogenStatus `json:"autogen,omitempty"`
}

func (*ImageValidatingPolicyStatus) DeepCopy 

func (in *ImageValidatingPolicyStatus) DeepCopy() *ImageValidatingPolicyStatus

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImageValidatingPolicyStatus.

func (*ImageValidatingPolicyStatus) DeepCopyInto 

func (in *ImageValidatingPolicyStatus) DeepCopyInto(out *ImageValidatingPolicyStatus)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type InToto 

type InToto struct {
	// Type defines the type of attestation contained within the statement.
	Type string `json:"type"`
}

func (*InToto) DeepCopy 

func (in *InToto) DeepCopy() *InToto

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new InToto.

func (*InToto) DeepCopyInto 

func (in *InToto) DeepCopyInto(out *InToto)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type Key 

type Key struct {
	// Data contains the inline public key
	// +optional
	Data string `json:"data,omitempty"`
	// KMS contains the KMS url of the public key
	// Supported formats differ based on the KMS system used.
	// +optional
	KMS string `json:"kms,omitempty"`
	// HashAlgorithm specifues signature algorithm for public keys. Supported values are
	// sha224, sha256, sha384 and sha512. Defaults to sha256.
	// +optional
	HashAlgorithm string `json:"hashAlgorithm,omitempty"`
	// Expression is a Expression expression that returns the public key.
	// +optional
	Expression string `json:"expression,omitempty"`
}

A Key must specify only one of CEL, Data or KMS

func (*Key) DeepCopy 

func (in *Key) DeepCopy() *Key

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Key.

func (*Key) DeepCopyInto 

func (in *Key) DeepCopyInto(out *Key)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type Keyless 

type Keyless struct {
	// Identities sets a list of identities.
	Identities []Identity `json:"identities"`
	// Roots is an optional set of PEM encoded trusted root certificates.
	// If not provided, the system roots are used.
	// +kubebuilder:validation:Optional
	Roots string `json:"roots,omitempty"`
}

Keyless contains location of the validating certificate and the identities against which to verify.

func (*Keyless) DeepCopy 

func (in *Keyless) DeepCopy() *Keyless

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Keyless.

func (*Keyless) DeepCopyInto 

func (in *Keyless) DeepCopyInto(out *Keyless)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type MatchImageReference 

type MatchImageReference struct {
	// Glob defines a globbing pattern for matching images
	// +optional
	Glob string `json:"glob,omitempty"`
	// Expression defines CEL Expressions for matching images
	// +optional
	Expression string `json:"expression,omitempty"`
}

MatchImageReference defines a Glob or a CEL expression for matching images +kubebuilder:oneOf:={required:{glob}} +kubebuilder:oneOf:={required:{expression}}

func (*MatchImageReference) DeepCopy 

func (in *MatchImageReference) DeepCopy() *MatchImageReference

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MatchImageReference.

func (*MatchImageReference) DeepCopyInto 

func (in *MatchImageReference) DeepCopyInto(out *MatchImageReference)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type Notary 

type Notary struct {
	// Certs define the cert chain for Notary signature verification
	// +optional
	Certs *StringOrExpression `json:"certs,omitempty"`
	// TSACerts define the cert chain for verifying timestamps of notary signature
	// +optional
	TSACerts *StringOrExpression `json:"tsaCerts,omitempty"`
}

Notary defines attestor configuration for Notary based signatures

func (*Notary) DeepCopy 

func (in *Notary) DeepCopy() *Notary

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Notary.

func (*Notary) DeepCopyInto 

func (in *Notary) DeepCopyInto(out *Notary)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type PodControllersGenerationConfiguration 

type PodControllersGenerationConfiguration struct {
	Controllers []string `json:"controllers,omitempty"`
}

func (*PodControllersGenerationConfiguration) DeepCopy 

func (in *PodControllersGenerationConfiguration) DeepCopy() *PodControllersGenerationConfiguration

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodControllersGenerationConfiguration.

func (*PodControllersGenerationConfiguration) DeepCopyInto 

func (in *PodControllersGenerationConfiguration) DeepCopyInto(out *PodControllersGenerationConfiguration)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type PolicyConditionType 

type PolicyConditionType string
const (
	PolicyConditionTypeWebhookConfigured      PolicyConditionType = "WebhookConfigured"
	PolicyConditionTypePolicyCached           PolicyConditionType = "PolicyCached"
	PolicyConditionTypeRBACPermissionsGranted PolicyConditionType = "RBACPermissionsGranted"
)

type PolicyException 

type PolicyException struct {
	metav1.TypeMeta   `json:",inline,omitempty"`
	metav1.ObjectMeta `json:"metadata,omitempty"`

	// Spec declares policy exception behaviors.
	Spec PolicyExceptionSpec `json:"spec"`
}

PolicyException declares resources to be excluded from specified policies.

func (*PolicyException) DeepCopy 

func (in *PolicyException) DeepCopy() *PolicyException

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyException.

func (*PolicyException) DeepCopyInto 

func (in *PolicyException) DeepCopyInto(out *PolicyException)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*PolicyException) DeepCopyObject 

func (in *PolicyException) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

func (*PolicyException) GetKind 

func (p *PolicyException) GetKind() string

func (*PolicyException) Validate 

func (p *PolicyException) Validate() (errs field.ErrorList)

Validate implements programmatic validation

type PolicyExceptionList 

type PolicyExceptionList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata"`
	Items           []PolicyException `json:"items"`
}

PolicyExceptionList is a list of Policy Exceptions

func (*PolicyExceptionList) DeepCopy 

func (in *PolicyExceptionList) DeepCopy() *PolicyExceptionList

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyExceptionList.

func (*PolicyExceptionList) DeepCopyInto 

func (in *PolicyExceptionList) DeepCopyInto(out *PolicyExceptionList)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*PolicyExceptionList) DeepCopyObject 

func (in *PolicyExceptionList) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type PolicyExceptionSpec 

type PolicyExceptionSpec struct {
	// PolicyRefs identifies the policies to which the exception is applied.
	PolicyRefs []PolicyRef `json:"policyRefs"`

	// MatchConditions is a list of CEL expressions that must be met for a resource to be excluded.
	// +optional
	MatchConditions []admissionregistrationv1.MatchCondition `json:"matchConditions,omitempty"`
}

PolicyExceptionSpec stores policy exception spec

func (*PolicyExceptionSpec) DeepCopy 

func (in *PolicyExceptionSpec) DeepCopy() *PolicyExceptionSpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyExceptionSpec.

func (*PolicyExceptionSpec) DeepCopyInto 

func (in *PolicyExceptionSpec) DeepCopyInto(out *PolicyExceptionSpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*PolicyExceptionSpec) Validate 

func (p *PolicyExceptionSpec) Validate(path *field.Path) (errs field.ErrorList)

Validate implements programmatic validation

type PolicyRef 

type PolicyRef struct {
	// Name is the name of the policy
	Name string `json:"name"`

	// Kind is the kind of the policy
	Kind string `json:"kind"`
}

func (*PolicyRef) DeepCopy 

func (in *PolicyRef) DeepCopy() *PolicyRef

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyRef.

func (*PolicyRef) DeepCopyInto 

func (in *PolicyRef) DeepCopyInto(out *PolicyRef)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*PolicyRef) Validate 

func (p *PolicyRef) Validate(path *field.Path) (errs field.ErrorList)

type Referrer 

type Referrer struct {
	// Type defines the type of attestation attached to the image.
	Type string `json:"type"`
}

func (*Referrer) DeepCopy 

func (in *Referrer) DeepCopy() *Referrer

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Referrer.

func (*Referrer) DeepCopyInto 

func (in *Referrer) DeepCopyInto(out *Referrer)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type Source 

type Source struct {
	// Repository defines the location from where to pull the signature / attestations.
	// +optional
	Repository string `json:"repository,omitempty"`
	// SignaturePullSecrets is an optional list of references to secrets in the
	// same namespace as the deploying resource for pulling any of the signatures
	// used by this Source.
	// +optional
	SignaturePullSecrets []corev1.LocalObjectReference `json:"PullSecrets,omitempty"`
	// TagPrefix is an optional prefix that signature and attestations have.
	// This is the 'tag based discovery' and in the future once references are
	// fully supported that should likely be the preferred way to handle these.
	// +optional
	TagPrefix string `json:"tagPrefix,omitempty"`
}

Source specifies the location of the signature / attestations.

func (*Source) DeepCopy 

func (in *Source) DeepCopy() *Source

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Source.

func (*Source) DeepCopyInto 

func (in *Source) DeepCopyInto(out *Source)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type StringOrExpression 

type StringOrExpression struct {
	// Value defines the raw string input.
	// +optional
	Value string `json:"value,omitempty"`
	// Expression defines the a CEL expression input.
	// +optional
	Expression string `json:"expression,omitempty"`
}

StringOrExpression contains either a raw string input or a CEL expression +kubebuilder:oneOf:={required:{value}} +kubebuilder:oneOf:={required:{expression}}

func (*StringOrExpression) DeepCopy 

func (in *StringOrExpression) DeepCopy() *StringOrExpression

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StringOrExpression.

func (*StringOrExpression) DeepCopyInto 

func (in *StringOrExpression) DeepCopyInto(out *StringOrExpression)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type TUF 

type TUF struct {
	// Root defines the path or data of the trusted root
	// +optional
	Root TUFRoot `json:"root,omitempty"`
	// Mirror is the base URL of Sigstore TUF repository
	// +optional
	Mirror string `json:"mirror,omitempty"`
}

TUF defines the configuration to fetch sigstore root

func (*TUF) DeepCopy 

func (in *TUF) DeepCopy() *TUF

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TUF.

func (*TUF) DeepCopyInto 

func (in *TUF) DeepCopyInto(out *TUF)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type TUFRoot 

type TUFRoot struct {
	// Path is the URL or File location of the TUF root
	// +optional
	Path string `json:"path,omitempty"`
	// Data is the base64 encoded TUF root
	// +optional
	Data string `json:"data,omitempty"`
}

TUFRoot defines the path or data of the trusted root

func (*TUFRoot) DeepCopy 

func (in *TUFRoot) DeepCopy() *TUFRoot

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TUFRoot.

func (*TUFRoot) DeepCopyInto 

func (in *TUFRoot) DeepCopyInto(out *TUFRoot)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type ValidatingPolicy 

type ValidatingPolicy struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`
	Spec              ValidatingPolicySpec `json:"spec"`
	// Status contains policy runtime data.
	// +optional
	Status ValidatingPolicyStatus `json:"status,omitempty"`
}

func (ValidatingPolicy) BackgroundEnabled 

func (s ValidatingPolicy) BackgroundEnabled() bool

BackgroundEnabled checks if background is set to true

func (*ValidatingPolicy) DeepCopy 

func (in *ValidatingPolicy) DeepCopy() *ValidatingPolicy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ValidatingPolicy.

func (*ValidatingPolicy) DeepCopyInto 

func (in *ValidatingPolicy) DeepCopyInto(out *ValidatingPolicy)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*ValidatingPolicy) DeepCopyObject 

func (in *ValidatingPolicy) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

func (*ValidatingPolicy) GetFailurePolicy 

func (s *ValidatingPolicy) GetFailurePolicy() admissionregistrationv1.FailurePolicyType

func (*ValidatingPolicy) GetKind 

func (s *ValidatingPolicy) GetKind() string

func (*ValidatingPolicy) GetMatchConditions 

func (s *ValidatingPolicy) GetMatchConditions() []admissionregistrationv1.MatchCondition

func (*ValidatingPolicy) GetMatchConstraints 

func (s *ValidatingPolicy) GetMatchConstraints() admissionregistrationv1.MatchResources

func (*ValidatingPolicy) GetSpec 

func (s *ValidatingPolicy) GetSpec() *ValidatingPolicySpec

func (*ValidatingPolicy) GetStatus 

func (s *ValidatingPolicy) GetStatus() *ValidatingPolicyStatus

func (*ValidatingPolicy) GetVariables 

func (s *ValidatingPolicy) GetVariables() []admissionregistrationv1.Variable

func (*ValidatingPolicy) GetWebhookConfiguration 

func (s *ValidatingPolicy) GetWebhookConfiguration() *WebhookConfiguration

type ValidatingPolicyAutogen 

type ValidatingPolicyAutogen struct {
	Spec *ValidatingPolicySpec `json:"spec"`
}

func (*ValidatingPolicyAutogen) DeepCopy 

func (in *ValidatingPolicyAutogen) DeepCopy() *ValidatingPolicyAutogen

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ValidatingPolicyAutogen.

func (*ValidatingPolicyAutogen) DeepCopyInto 

func (in *ValidatingPolicyAutogen) DeepCopyInto(out *ValidatingPolicyAutogen)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type ValidatingPolicyAutogenConfiguration 

type ValidatingPolicyAutogenConfiguration struct {
	// PodControllers specifies whether to generate a pod controllers rules.
	PodControllers *PodControllersGenerationConfiguration `json:"podControllers,omitempty"`
	// ValidatingAdmissionPolicy specifies whether to generate a Kubernetes ValidatingAdmissionPolicy.
	ValidatingAdmissionPolicy *VapGenerationConfiguration `json:"validatingAdmissionPolicy,omitempty"`
}

func (*ValidatingPolicyAutogenConfiguration) DeepCopy 

func (in *ValidatingPolicyAutogenConfiguration) DeepCopy() *ValidatingPolicyAutogenConfiguration

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ValidatingPolicyAutogenConfiguration.

func (*ValidatingPolicyAutogenConfiguration) DeepCopyInto 

func (in *ValidatingPolicyAutogenConfiguration) DeepCopyInto(out *ValidatingPolicyAutogenConfiguration)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type ValidatingPolicyAutogenStatus 

type ValidatingPolicyAutogenStatus struct {
	Configs map[string]ValidatingPolicyAutogen `json:"configs,omitempty"`
}

func (*ValidatingPolicyAutogenStatus) DeepCopy 

func (in *ValidatingPolicyAutogenStatus) DeepCopy() *ValidatingPolicyAutogenStatus

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ValidatingPolicyAutogenStatus.

func (*ValidatingPolicyAutogenStatus) DeepCopyInto 

func (in *ValidatingPolicyAutogenStatus) DeepCopyInto(out *ValidatingPolicyAutogenStatus)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type ValidatingPolicyList 

type ValidatingPolicyList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata"`
	Items           []ValidatingPolicy `json:"items"`
}

ValidatingPolicyList is a list of ValidatingPolicy instances

func (*ValidatingPolicyList) DeepCopy 

func (in *ValidatingPolicyList) DeepCopy() *ValidatingPolicyList

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ValidatingPolicyList.

func (*ValidatingPolicyList) DeepCopyInto 

func (in *ValidatingPolicyList) DeepCopyInto(out *ValidatingPolicyList)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*ValidatingPolicyList) DeepCopyObject 

func (in *ValidatingPolicyList) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type ValidatingPolicySpec 

type ValidatingPolicySpec struct {
	// MatchConstraints specifies what resources this policy is designed to validate.
	// The AdmissionPolicy cares about a request if it matches _all_ Constraints.
	// Required.
	MatchConstraints *admissionregistrationv1.MatchResources `json:"matchConstraints,omitempty"`

	// Validations contain CEL expressions which is used to apply the validation.
	// Validations and AuditAnnotations may not both be empty; a minimum of one Validations or AuditAnnotations is
	// required.
	// +listType=atomic
	// +optional
	Validations []admissionregistrationv1.Validation `json:"validations,omitempty"`

	// failurePolicy defines how to handle failures for the admission policy. Failures can
	// occur from CEL expression parse errors, type check errors, runtime errors and invalid
	// or mis-configured policy definitions or bindings.
	//
	// failurePolicy does not define how validations that evaluate to false are handled.
	//
	// When failurePolicy is set to Fail, the validationActions field define how failures are enforced.
	//
	// Allowed values are Ignore or Fail. Defaults to Fail.
	// +optional
	// +kubebuilder:validation:Enum=Ignore;Fail
	FailurePolicy *admissionregistrationv1.FailurePolicyType `json:"failurePolicy,omitempty"`

	// auditAnnotations contains CEL expressions which are used to produce audit
	// annotations for the audit event of the API request.
	// validations and auditAnnotations may not both be empty; a least one of validations or auditAnnotations is
	// required.
	// +listType=atomic
	// +optional
	AuditAnnotations []admissionregistrationv1.AuditAnnotation `json:"auditAnnotations,omitempty"`

	// MatchConditions is a list of conditions that must be met for a request to be validated.
	// Match conditions filter requests that have already been matched by the rules,
	// namespaceSelector, and objectSelector. An empty list of matchConditions matches all requests.
	// There are a maximum of 64 match conditions allowed.
	//
	// If a parameter object is provided, it can be accessed via the `params` handle in the same
	// manner as validation expressions.
	//
	// The exact matching logic is (in order):
	//   1. If ANY matchCondition evaluates to FALSE, the policy is skipped.
	//   2. If ALL matchConditions evaluate to TRUE, the policy is evaluated.
	//   3. If any matchCondition evaluates to an error (but none are FALSE):
	//      - If failurePolicy=Fail, reject the request
	//      - If failurePolicy=Ignore, the policy is skipped
	//
	// +patchMergeKey=name
	// +patchStrategy=merge
	// +listType=map
	// +listMapKey=name
	// +optional
	MatchConditions []admissionregistrationv1.MatchCondition `json:"matchConditions,omitempty" patchStrategy:"merge" patchMergeKey:"name"`

	// Variables contain definitions of variables that can be used in composition of other expressions.
	// Each variable is defined as a named CEL expression.
	// The variables defined here will be available under `variables` in other expressions of the policy
	// except MatchConditions because MatchConditions are evaluated before the rest of the policy.
	//
	// The expression of a variable can refer to other variables defined earlier in the list but not those after.
	// Thus, Variables must be sorted by the order of first appearance and acyclic.
	// +patchMergeKey=name
	// +patchStrategy=merge
	// +listType=map
	// +listMapKey=name
	// +optional
	Variables []admissionregistrationv1.Variable `json:"variables,omitempty" patchStrategy:"merge" patchMergeKey:"name"`

	// AutogenConfiguration defines the configuration for the generation controller.
	// +optional
	AutogenConfiguration *ValidatingPolicyAutogenConfiguration `json:"autogen,omitempty"`

	// ValidationAction specifies the action to be taken when the matched resource violates the policy.
	// Required.
	// +listType=set
	// +kubebuilder:validation:items:Enum=Deny;Audit;Warn
	ValidationAction []admissionregistrationv1.ValidationAction `json:"validationActions,omitempty"`

	// WebhookConfiguration defines the configuration for the webhook.
	// +optional
	WebhookConfiguration *WebhookConfiguration `json:"webhookConfiguration,omitempty"`

	// EvaluationConfiguration defines the configuration for the policy evaluation.
	// +optional
	EvaluationConfiguration *EvaluationConfiguration `json:"evaluation,omitempty"`
}

ValidatingPolicySpec is the specification of the desired behavior of the ValidatingPolicy.

func (ValidatingPolicySpec) AdmissionEnabled 

func (s ValidatingPolicySpec) AdmissionEnabled() bool

AdmissionEnabled checks if admission is set to true

func (ValidatingPolicySpec) BackgroundEnabled 

func (s ValidatingPolicySpec) BackgroundEnabled() bool

BackgroundEnabled checks if background is set to true

func (*ValidatingPolicySpec) DeepCopy 

func (in *ValidatingPolicySpec) DeepCopy() *ValidatingPolicySpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ValidatingPolicySpec.

func (*ValidatingPolicySpec) DeepCopyInto 

func (in *ValidatingPolicySpec) DeepCopyInto(out *ValidatingPolicySpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (ValidatingPolicySpec) EvaluationMode 

func (s ValidatingPolicySpec) EvaluationMode() EvaluationMode

EvaluationMode returns the evaluation mode of the policy.

func (ValidatingPolicySpec) GenerateValidatingAdmissionPolicyEnabled 

func (s ValidatingPolicySpec) GenerateValidatingAdmissionPolicyEnabled() bool

GenerateValidatingAdmissionPolicyEnabled checks if validating admission policy generation is enabled

func (ValidatingPolicySpec) ValidationActions 

func (s ValidatingPolicySpec) ValidationActions() []admissionregistrationv1.ValidationAction

ValidationActions returns the validation actions.

type ValidatingPolicyStatus 

type ValidatingPolicyStatus struct {
	// +optional
	ConditionStatus ConditionStatus `json:"conditionStatus,omitempty"`

	// +optional
	Autogen ValidatingPolicyAutogenStatus `json:"autogen,omitempty"`

	// Generated indicates whether a ValidatingAdmissionPolicy/MutatingAdmissionPolicy is generated from the policy or not
	// +optional
	Generated bool `json:"generated"`
}

func (*ValidatingPolicyStatus) DeepCopy 

func (in *ValidatingPolicyStatus) DeepCopy() *ValidatingPolicyStatus

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ValidatingPolicyStatus.

func (*ValidatingPolicyStatus) DeepCopyInto 

func (in *ValidatingPolicyStatus) DeepCopyInto(out *ValidatingPolicyStatus)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*ValidatingPolicyStatus) GetConditionStatus 

func (status *ValidatingPolicyStatus) GetConditionStatus() *ConditionStatus

type ValidationConfiguration 

type ValidationConfiguration struct {
	// MutateDigest enables replacement of image tags with digests.
	// Defaults to true.
	// +kubebuilder:default=true
	// +optional
	MutateDigest *bool `json:"mutateDigest,omitempty"`

	// VerifyDigest validates that images have a digest.
	// +kubebuilder:default=true
	// +optional
	VerifyDigest *bool `json:"verifyDigest,omitempty"`

	// Required validates that images are verified, i.e., have passed a signature or attestation check.
	// +kubebuilder:default=true
	// +optional
	Required *bool `json:"required,omitempty"`
}

func (*ValidationConfiguration) DeepCopy 

func (in *ValidationConfiguration) DeepCopy() *ValidationConfiguration

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ValidationConfiguration.

func (*ValidationConfiguration) DeepCopyInto 

func (in *ValidationConfiguration) DeepCopyInto(out *ValidationConfiguration)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type VapGenerationConfiguration 

type VapGenerationConfiguration struct {
	// Enabled specifies whether to generate a Kubernetes ValidatingAdmissionPolicy.
	// Optional. Defaults to "false" if not specified.
	Enabled *bool `json:"enabled,omitempty"`
}

func (*VapGenerationConfiguration) DeepCopy 

func (in *VapGenerationConfiguration) DeepCopy() *VapGenerationConfiguration

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VapGenerationConfiguration.

func (*VapGenerationConfiguration) DeepCopyInto 

func (in *VapGenerationConfiguration) DeepCopyInto(out *VapGenerationConfiguration)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type WebhookConfiguration 

type WebhookConfiguration struct {
	// TimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.
	// After the configured time expires, the admission request may fail, or may simply ignore the policy results,
	// based on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.
	TimeoutSeconds *int32 `json:"timeoutSeconds,omitempty"`
}

func (*WebhookConfiguration) DeepCopy 

func (in *WebhookConfiguration) DeepCopy() *WebhookConfiguration

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebhookConfiguration.

func (*WebhookConfiguration) DeepCopyInto 

func (in *WebhookConfiguration) DeepCopyInto(out *WebhookConfiguration)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.