Documentation ¶
Index ¶
- Variables
- func Kind(kind string) schema.GroupKind
- func Resource(resource string) schema.GroupResource
- type APICall
- type AnyAllConditions
- type CloneFrom
- type ClusterPolicy
- func (p *ClusterPolicy) BackgroundProcessingEnabled() bool
- func (in *ClusterPolicy) DeepCopy() *ClusterPolicy
- func (in *ClusterPolicy) DeepCopyInto(out *ClusterPolicy)
- func (in *ClusterPolicy) DeepCopyObject() runtime.Object
- func (p *ClusterPolicy) HasAutoGenAnnotation() bool
- func (p *ClusterPolicy) HasMutateOrValidateOrGenerate() bool
- type ClusterPolicyList
- type Condition
- type ConditionOperator
- type ConfigMapReference
- type ContextEntry
- type Deny
- type ExcludeResources
- type GenerateRequest
- type GenerateRequestContext
- type GenerateRequestList
- type GenerateRequestSpec
- type GenerateRequestState
- type GenerateRequestStatus
- type Generation
- type MatchResources
- type Mutation
- type Patch
- type Policy
- type PolicyList
- type PolicyStatus
- type RequestInfo
- type ResourceDescription
- type ResourceSpec
- type Rule
- type RuleStats
- type Spec
- type UserInfo
- type Validation
- type ViolatedRule
Constants ¶
This section is empty.
Variables ¶
var ( // SchemeBuilder builds the scheme SchemeBuilder = runtime.NewSchemeBuilder(addKnownTypes) // AddToScheme adds all types of this clientset into the given scheme AddToScheme = SchemeBuilder.AddToScheme )
var SchemeGroupVersion = schema.GroupVersion{Group: kyverno.GroupName, Version: "v1"}
SchemeGroupVersion is group version used to register these objects
Functions ¶
func Resource ¶
func Resource(resource string) schema.GroupResource
Resource takes an unqualified resource and returns a Group qualified GroupResource
Types ¶
type APICall ¶ added in v1.3.2
type APICall struct { // URLPath is the URL path to be used in the HTTP GET request to the // Kubernetes API server (e.g. "/api/v1/namespaces" or "/apis/apps/v1/deployments"). // The format required is the same format used by the `kubectl get --raw` command. URLPath string `json:"urlPath" yaml:"urlPath"` // JMESPath is an optional JSON Match Expression that can be used to // transform the JSON response returned from the API server. For example // a JMESPath of "items | length(@)" applied to the API server response // to the URLPath "/apis/apps/v1/deployments" will return the total count // of deployments across all namespaces. // +optional JMESPath string `json:"jmesPath,omitempty" yaml:"jmesPath,omitempty"` }
APICall defines an HTTP request to the Kubernetes API server. The JSON data retrieved is stored in the context. An APICall contains a URLPath used to perform the HTTP GET request and an optional JMESPath used to transform the retrieved JSON data.
func (*APICall) DeepCopy ¶ added in v1.3.4
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new APICall.
func (*APICall) DeepCopyInto ¶ added in v1.3.4
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type AnyAllConditions ¶ added in v1.3.4
type AnyAllConditions struct { // AnyConditions enable variable-based conditional rule execution. This is useful for // finer control of when an rule is applied. A condition can reference object data // using JMESPath notation. // Here, atleast one of the conditions need to pass // +optional AnyConditions []Condition `json:"any,omitempty" yaml:"any,omitempty"` // AllConditions enable variable-based conditional rule execution. This is useful for // finer control of when an rule is applied. A condition can reference object data // using JMESPath notation. // Here, all of the conditions need to pass // +optional AllConditions []Condition `json:"all,omitempty" yaml:"all,omitempty"` }
AnyAllCondition consists of conditions wrapped denoting a logical criteria to be fulfilled. AnyConditions get fulfilled when at least one of its sub-conditions passes. AllConditions get fulfilled only when all of its sub-conditions pass.
func (*AnyAllConditions) DeepCopy ¶ added in v1.3.4
func (in *AnyAllConditions) DeepCopy() *AnyAllConditions
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AnyAllConditions.
func (*AnyAllConditions) DeepCopyInto ¶ added in v1.3.4
func (in *AnyAllConditions) DeepCopyInto(out *AnyAllConditions)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type CloneFrom ¶
type CloneFrom struct { // Namespace specifies source resource namespace. // +optional Namespace string `json:"namespace,omitempty" yaml:"namespace,omitempty"` // Name specifies name of the resource. Name string `json:"name,omitempty" yaml:"name,omitempty"` }
CloneFrom provides the location of the source resource used to generate target resources. The resource kind is derived from the match criteria.
func (*CloneFrom) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CloneFrom.
func (*CloneFrom) DeepCopyInto ¶
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type ClusterPolicy ¶
type ClusterPolicy struct { metav1.TypeMeta `json:",inline,omitempty" yaml:",inline,omitempty"` metav1.ObjectMeta `json:"metadata,omitempty" yaml:"metadata,omitempty"` // Spec declares policy behaviors. Spec Spec `json:"spec" yaml:"spec"` // Status contains policy runtime data. // +optional Status PolicyStatus `json:"status,omitempty" yaml:"status,omitempty"` }
ClusterPolicy declares validation, mutation, and generation behaviors for matching resources. +genclient +genclient:nonNamespaced +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +kubebuilder:object:root=true +kubebuilder:subresource:status +kubebuilder:resource:path=clusterpolicies,scope="Cluster",shortName=cpol +kubebuilder:printcolumn:name="Background",type="string",JSONPath=".spec.background" +kubebuilder:printcolumn:name="Action",type="string",JSONPath=".spec.validationFailureAction"
func (*ClusterPolicy) BackgroundProcessingEnabled ¶ added in v1.2.0
func (p *ClusterPolicy) BackgroundProcessingEnabled() bool
BackgroundProcessingEnabled checks if background is set to true
func (*ClusterPolicy) DeepCopy ¶
func (in *ClusterPolicy) DeepCopy() *ClusterPolicy
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterPolicy.
func (*ClusterPolicy) DeepCopyInto ¶
func (in *ClusterPolicy) DeepCopyInto(out *ClusterPolicy)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*ClusterPolicy) DeepCopyObject ¶
func (in *ClusterPolicy) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
func (*ClusterPolicy) HasAutoGenAnnotation ¶ added in v1.2.0
func (p *ClusterPolicy) HasAutoGenAnnotation() bool
HasAutoGenAnnotation checks if a policy has auto-gen annotation
func (*ClusterPolicy) HasMutateOrValidateOrGenerate ¶ added in v1.1.0
func (p *ClusterPolicy) HasMutateOrValidateOrGenerate() bool
HasMutateOrValidateOrGenerate checks for rule types
type ClusterPolicyList ¶
type ClusterPolicyList struct { metav1.TypeMeta `json:",inline" yaml:",inline"` metav1.ListMeta `json:"metadata" yaml:"metadata"` Items []ClusterPolicy `json:"items" yaml:"items"` }
ClusterPolicyList is a list of ClusterPolicy instances. +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
func (*ClusterPolicyList) DeepCopy ¶
func (in *ClusterPolicyList) DeepCopy() *ClusterPolicyList
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterPolicyList.
func (*ClusterPolicyList) DeepCopyInto ¶
func (in *ClusterPolicyList) DeepCopyInto(out *ClusterPolicyList)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*ClusterPolicyList) DeepCopyObject ¶
func (in *ClusterPolicyList) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type Condition ¶ added in v1.1.0
type Condition struct { // Key is the context entry (using JMESPath) for conditional rule evaluation. // +kubebuilder:validation:XPreserveUnknownFields Key apiextensions.JSON `json:"key,omitempty" yaml:"key,omitempty"` // Operator is the operation to perform. Valid operators // are Equals, NotEquals, In and NotIn. Operator ConditionOperator `json:"operator,omitempty" yaml:"operator,omitempty"` // Value is the conditional value, or set of values. The values can be fixed set // or can be variables declared using using JMESPath. // +kubebuilder:validation:XPreserveUnknownFields // +optional Value apiextensions.JSON `json:"value,omitempty" yaml:"value,omitempty"` }
Condition defines variable-based conditional criteria for rule execution.
func (*Condition) DeepCopy ¶ added in v1.1.0
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Condition.
func (*Condition) DeepCopyInto ¶ added in v1.1.0
DeepCopyInto is declared because k8s:deepcopy-gen is not able to generate this method for interface{} member
type ConditionOperator ¶ added in v1.1.0
type ConditionOperator string
ConditionOperator is the operation performed on condition key and value. +kubebuilder:validation:Enum=Equals;NotEquals;In;NotIn
const ( // Equal evaluates if the key is equal to the value. // Deprecated. Use Equals instead. Equal ConditionOperator = "Equal" // Equals evaluates if the key is equal to the value. Equals ConditionOperator = "Equals" // NotEqual evaluates if the key is not equal to the value. // Deprecated. Use NotEquals instead. NotEqual ConditionOperator = "NotEqual" // NotEquals evaluates if the key is not equal to the value. NotEquals ConditionOperator = "NotEquals" // In evaluates if the key is contained in the set of values. In ConditionOperator = "In" // NotIn evaluates if the key is not contained in the set of values. NotIn ConditionOperator = "NotIn" // GreaterThanOrEquals evaluates if the key (numeric) is greater than or equal to the value (numeric). GreaterThanOrEquals ConditionOperator = "GreaterThanOrEquals" // GreaterThan evaluates if the key (numeric) is greater than the value (numeric). GreaterThan ConditionOperator = "GreaterThan" // LessThanOrEquals evaluates if the key (numeric) is less than or equal to the value (numeric). LessThanOrEquals ConditionOperator = "LessThanOrEquals" // LessThan evaluates if the key (numeric) is less than the value (numeric). LessThan ConditionOperator = "LessThan" )
type ConfigMapReference ¶ added in v1.2.0
type ConfigMapReference struct { // Name is the ConfigMap name. Name string `json:"name" yaml:"name"` // Namespace is the ConfigMap namespace. Namespace string `json:"namespace,omitempty" yaml:"namespace,omitempty"` }
ConfigMapReference refers to a ConfigMap
func (*ConfigMapReference) DeepCopy ¶ added in v1.2.0
func (in *ConfigMapReference) DeepCopy() *ConfigMapReference
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ConfigMapReference.
func (*ConfigMapReference) DeepCopyInto ¶ added in v1.2.0
func (in *ConfigMapReference) DeepCopyInto(out *ConfigMapReference)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type ContextEntry ¶ added in v1.2.0
type ContextEntry struct { // Name is the variable name. Name string `json:"name,omitempty" yaml:"name,omitempty"` // ConfigMap is the ConfigMap reference. ConfigMap *ConfigMapReference `json:"configMap,omitempty" yaml:"configMap,omitempty"` // APICall defines an HTTP request to the Kubernetes API server. The JSON // data retrieved is stored in the context. APICall *APICall `json:"apiCall,omitempty" yaml:"apiCall,omitempty"` }
ContextEntry adds variables and data sources to a rule Context. Either a ConfigMap reference or a APILookup must be provided.
func (*ContextEntry) DeepCopy ¶ added in v1.2.0
func (in *ContextEntry) DeepCopy() *ContextEntry
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ContextEntry.
func (*ContextEntry) DeepCopyInto ¶ added in v1.2.0
func (in *ContextEntry) DeepCopyInto(out *ContextEntry)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type Deny ¶ added in v1.2.0
type Deny struct { // specifies the set of conditions to deny in a logical manner // For the sake of backwards compatibility, it can be populated with []kyverno.Condition. // +kubebuilder:validation:XPreserveUnknownFields AnyAllConditions apiextensions.JSON `json:"conditions,omitempty" yaml:"conditions,omitempty"` }
Deny specifies a list of conditions. The validation rule fails, if any Condition evaluates to "false".
func (*Deny) DeepCopy ¶ added in v1.2.0
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Deny.
func (*Deny) DeepCopyInto ¶ added in v1.2.0
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type ExcludeResources ¶
type ExcludeResources struct { // UserInfo contains information about the user performing the operation. // +optional UserInfo `json:",omitempty" yaml:",omitempty"` // ResourceDescription contains information about the resource being created or modified. // +optional ResourceDescription `json:"resources,omitempty" yaml:"resources,omitempty"` }
ExcludeResources specifies resource and admission review request data for which a policy rule is not applicable.
func (*ExcludeResources) DeepCopy ¶
func (in *ExcludeResources) DeepCopy() *ExcludeResources
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExcludeResources.
func (*ExcludeResources) DeepCopyInto ¶
func (in *ExcludeResources) DeepCopyInto(out *ExcludeResources)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type GenerateRequest ¶ added in v1.1.0
type GenerateRequest struct { metav1.TypeMeta `json:",inline" yaml:",inline"` metav1.ObjectMeta `json:"metadata,omitempty" yaml:"metadata,omitempty"` // Spec is the information to identify the generate request. Spec GenerateRequestSpec `json:"spec" yaml:"spec"` // Status contains statistics related to generate request. // +optional Status GenerateRequestStatus `json:"status" yaml:"status"` }
GenerateRequest is a request to process generate rule. +genclient +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +kubebuilder:object:root=true +kubebuilder:subresource:status +kubebuilder:printcolumn:name="Policy",type="string",JSONPath=".spec.policy" +kubebuilder:printcolumn:name="ResourceKind",type="string",JSONPath=".spec.resource.kind" +kubebuilder:printcolumn:name="ResourceName",type="string",JSONPath=".spec.resource.name" +kubebuilder:printcolumn:name="ResourceNamespace",type="string",JSONPath=".spec.resource.namespace" +kubebuilder:printcolumn:name="status",type="string",JSONPath=".status.state" +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp" +kubebuilder:resource:shortName=gr
func (*GenerateRequest) DeepCopy ¶ added in v1.1.0
func (in *GenerateRequest) DeepCopy() *GenerateRequest
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GenerateRequest.
func (*GenerateRequest) DeepCopyInto ¶ added in v1.1.0
func (in *GenerateRequest) DeepCopyInto(out *GenerateRequest)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*GenerateRequest) DeepCopyObject ¶ added in v1.1.0
func (in *GenerateRequest) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type GenerateRequestContext ¶ added in v1.1.0
type GenerateRequestContext struct { // +optional UserRequestInfo RequestInfo `json:"userInfo,omitempty" yaml:"userInfo,omitempty"` }
GenerateRequestContext stores the context to be shared.
func (*GenerateRequestContext) DeepCopy ¶ added in v1.1.0
func (in *GenerateRequestContext) DeepCopy() *GenerateRequestContext
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GenerateRequestContext.
func (*GenerateRequestContext) DeepCopyInto ¶ added in v1.1.0
func (in *GenerateRequestContext) DeepCopyInto(out *GenerateRequestContext)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type GenerateRequestList ¶ added in v1.1.0
type GenerateRequestList struct { metav1.TypeMeta `json:",inline" yaml:",inline"` metav1.ListMeta `json:"metadata" yaml:"metadata"` Items []GenerateRequest `json:"items" yaml:"items"` }
GenerateRequestList stores the list of generate requests.
func (*GenerateRequestList) DeepCopy ¶ added in v1.1.0
func (in *GenerateRequestList) DeepCopy() *GenerateRequestList
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GenerateRequestList.
func (*GenerateRequestList) DeepCopyInto ¶ added in v1.1.0
func (in *GenerateRequestList) DeepCopyInto(out *GenerateRequestList)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*GenerateRequestList) DeepCopyObject ¶ added in v1.1.0
func (in *GenerateRequestList) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type GenerateRequestSpec ¶ added in v1.1.0
type GenerateRequestSpec struct { // Specifies the name of the policy. Policy string `json:"policy" yaml:"policy"` // ResourceSpec is the information to identify the generate request. Resource ResourceSpec `json:"resource" yaml:"resource"` // Context ... Context GenerateRequestContext `json:"context" yaml:"context"` }
GenerateRequestSpec stores the request specification.
func (*GenerateRequestSpec) DeepCopy ¶ added in v1.1.0
func (in *GenerateRequestSpec) DeepCopy() *GenerateRequestSpec
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GenerateRequestSpec.
func (*GenerateRequestSpec) DeepCopyInto ¶ added in v1.1.0
func (in *GenerateRequestSpec) DeepCopyInto(out *GenerateRequestSpec)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type GenerateRequestState ¶ added in v1.1.0
type GenerateRequestState string
GenerateRequestState defines the state of request.
const ( // Pending - the Request is yet to be processed or resource has not been created. Pending GenerateRequestState = "Pending" // Failed - the Generate Request Controller failed to process the rules. Failed GenerateRequestState = "Failed" // Completed - the Generate Request Controller created resources defined in the policy. Completed GenerateRequestState = "Completed" )
type GenerateRequestStatus ¶ added in v1.1.0
type GenerateRequestStatus struct { // State represents state of the generate request. State GenerateRequestState `json:"state" yaml:"state"` // Specifies request status message. // +optional Message string `json:"message,omitempty" yaml:"message,omitempty"` // This will track the resources that are generated by the generate Policy. // Will be used during clean up resources. GeneratedResources []ResourceSpec `json:"generatedResources,omitempty" yaml:"generatedResources,omitempty"` }
GenerateRequestStatus stores the status of generated request.
func (*GenerateRequestStatus) DeepCopy ¶ added in v1.1.0
func (in *GenerateRequestStatus) DeepCopy() *GenerateRequestStatus
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GenerateRequestStatus.
func (*GenerateRequestStatus) DeepCopyInto ¶ added in v1.1.0
func (in *GenerateRequestStatus) DeepCopyInto(out *GenerateRequestStatus)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type Generation ¶
type Generation struct { // ResourceSpec contains information to select the resource. ResourceSpec `json:",omitempty" yaml:",omitempty"` // Synchronize controls if generated resources should be kept in-sync with their source resource. // If Synchronize is set to "true" changes to generated resources will be overwritten with resource // data from Data or the resource specified in the Clone declaration. // Optional. Defaults to "false" if not specified. // +optional Synchronize bool `json:"synchronize,omitempty" yaml:"synchronize,omitempty"` // Data provides the resource declaration used to populate each generated resource. // At most one of Data or Clone must be specified. If neither are provided, the generated // resource will be created with default data only. // +kubebuilder:pruning:PreserveUnknownFields // +optional Data apiextensions.JSON `json:"data,omitempty" yaml:"data,omitempty"` // Clone specifies the source resource used to populate each generated resource. // At most one of Data or Clone can be specified. If neither are provided, the generated // resource will be created with default data only. // +optional Clone CloneFrom `json:"clone,omitempty" yaml:"clone,omitempty"` }
Generation defines how new resources should be created and managed.
func (*Generation) DeepCopy ¶
func (in *Generation) DeepCopy() *Generation
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Generation.
func (*Generation) DeepCopyInto ¶
func (gen *Generation) DeepCopyInto(out *Generation)
DeepCopyInto is declared because k8s:deepcopy-gen is not able to generate this method for interface{} member
type MatchResources ¶
type MatchResources struct { // UserInfo contains information about the user performing the operation. // +optional UserInfo `json:",omitempty" yaml:",omitempty"` // ResourceDescription contains information about the resource being created or modified. // Requires at least one tag to be specified when under MatchResources. ResourceDescription `json:"resources,omitempty" yaml:"resources,omitempty"` }
MatchResources is used to specify resource and admission review request data for which a policy rule is applicable.
func (*MatchResources) DeepCopy ¶
func (in *MatchResources) DeepCopy() *MatchResources
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MatchResources.
func (*MatchResources) DeepCopyInto ¶
func (in *MatchResources) DeepCopyInto(out *MatchResources)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type Mutation ¶
type Mutation struct { // Overlay specifies an overlay pattern to modify resources. // DEPRECATED. Use PatchStrategicMerge instead. Scheduled for // removal in release 1.5+. // +kubebuilder:validation:XPreserveUnknownFields // +optional Overlay apiextensions.JSON `json:"overlay,omitempty"` // Patches specifies a RFC 6902 JSON Patch to modify resources. // DEPRECATED. Use PatchesJSON6902 instead. Scheduled for // removal in release 1.5+. // +kubebuilder:validation:XPreserveUnknownFields // +nullable // +optional Patches []Patch `json:"patches,omitempty" yaml:"patches,omitempty"` // PatchStrategicMerge is a strategic merge patch used to modify resources. // See https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/ // and https://kubectl.docs.kubernetes.io/references/kustomize/patchesstrategicmerge/. // +kubebuilder:validation:XPreserveUnknownFields // +optional PatchStrategicMerge apiextensions.JSON `json:"patchStrategicMerge,omitempty" yaml:"patchStrategicMerge,omitempty"` // PatchesJSON6902 is a list of RFC 6902 JSON Patch declarations used to modify resources. // See https://tools.ietf.org/html/rfc6902 and https://kubectl.docs.kubernetes.io/references/kustomize/patchesjson6902/. // +optional PatchesJSON6902 string `json:"patchesJson6902,omitempty" yaml:"patchesJson6902,omitempty"` }
Mutation defines how resource are modified.
func (*Mutation) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Mutation.
func (*Mutation) DeepCopyInto ¶
DeepCopyInto is declared because k8s:deepcopy-gen is not able to generate this method for interface{} member
type Patch ¶
type Patch struct { // Path specifies path of the resource. Path string `json:"path,omitempty" yaml:"path,omitempty"` // Operation specifies operations supported by JSON Patch. // i.e:- add, replace and delete. Operation string `json:"op,omitempty" yaml:"op,omitempty"` // Value specifies the value to be applied. // +kubebuilder:validation:XPreserveUnknownFields // +optional Value apiextensions.JSON `json:"value,omitempty" yaml:"value,omitempty"` }
Patch is a RFC 6902 JSON Patch. See: https://tools.ietf.org/html/rfc6902
func (*Patch) DeepCopyInto ¶
DeepCopyInto is declared because k8s:deepcopy-gen is not able to generate this method for interface{} member
type Policy ¶
type Policy struct { metav1.TypeMeta `json:",inline,omitempty" yaml:",inline,omitempty"` metav1.ObjectMeta `json:"metadata,omitempty" yaml:"metadata,omitempty"` // Spec defines policy behaviors and contains one or rules. Spec Spec `json:"spec" yaml:"spec"` // Status contains policy runtime information. // +optional Status PolicyStatus `json:"status,omitempty" yaml:"status,omitempty"` }
Policy declares validation, mutation, and generation behaviors for matching resources. See: https://kyverno.io/docs/writing-policies/ for more information. +genclient +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +kubebuilder:object:root=true +kubebuilder:subresource:status +kubebuilder:printcolumn:name="Background",type="string",JSONPath=".spec.background" +kubebuilder:printcolumn:name="Action",type="string",JSONPath=".spec.validationFailureAction" +kubebuilder:resource:shortName=pol
func (*Policy) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Policy.
func (*Policy) DeepCopyInto ¶
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*Policy) DeepCopyObject ¶ added in v1.2.0
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type PolicyList ¶ added in v1.2.0
type PolicyList struct { metav1.TypeMeta `json:",inline" yaml:",inline"` metav1.ListMeta `json:"metadata" yaml:"metadata"` Items []Policy `json:"items" yaml:"items"` }
PolicyList is a list of Policy instances. +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
func (*PolicyList) DeepCopy ¶ added in v1.2.0
func (in *PolicyList) DeepCopy() *PolicyList
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyList.
func (*PolicyList) DeepCopyInto ¶ added in v1.2.0
func (in *PolicyList) DeepCopyInto(out *PolicyList)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*PolicyList) DeepCopyObject ¶ added in v1.2.0
func (in *PolicyList) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type PolicyStatus ¶
type PolicyStatus struct { // AvgExecutionTime is the average time taken to process the policy rules on a resource. // +optional AvgExecutionTime string `json:"averageExecutionTime,omitempty" yaml:"averageExecutionTime,omitempty"` // ViolationCount is the total count of policy failure results for this policy. // +optional ViolationCount int `json:"violationCount,omitempty" yaml:"violationCount,omitempty"` // RulesFailedCount is the total count of policy execution errors for this policy. // +optional RulesFailedCount int `json:"rulesFailedCount,omitempty" yaml:"rulesFailedCount,omitempty"` // RulesAppliedCount is the total number of times this policy was applied. // +optional RulesAppliedCount int `json:"rulesAppliedCount,omitempty" yaml:"rulesAppliedCount,omitempty"` // ResourcesBlockedCount is the total count of admission review requests that were blocked by this policy. // +optional ResourcesBlockedCount int `json:"resourcesBlockedCount,omitempty" yaml:"resourcesBlockedCount,omitempty"` // ResourcesMutatedCount is the total count of resources that were mutated by this policy. // +optional ResourcesMutatedCount int `json:"resourcesMutatedCount,omitempty" yaml:"resourcesMutatedCount,omitempty"` // ResourcesGeneratedCount is the total count of resources that were generated by this policy. // +optional ResourcesGeneratedCount int `json:"resourcesGeneratedCount,omitempty" yaml:"resourcesGeneratedCount,omitempty"` // Rules provides per rule statistics // +optional Rules []RuleStats `json:"ruleStatus,omitempty" yaml:"ruleStatus,omitempty"` }
PolicyStatus mostly contains runtime information related to policy execution.
func (*PolicyStatus) DeepCopy ¶
func (in *PolicyStatus) DeepCopy() *PolicyStatus
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyStatus.
func (*PolicyStatus) DeepCopyInto ¶
func (in *PolicyStatus) DeepCopyInto(out *PolicyStatus)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type RequestInfo ¶ added in v1.1.0
type RequestInfo struct { // Roles is a list of possible role send the request. // +nullable // +optional Roles []string `json:"roles" yaml:"roles"` // ClusterRoles is a list of possible clusterRoles send the request. // +nullable // +optional ClusterRoles []string `json:"clusterRoles" yaml:"clusterRoles"` // UserInfo is the userInfo carried in the admission request. // +optional AdmissionUserInfo authenticationv1.UserInfo `json:"userInfo" yaml:"userInfo"` }
RequestInfo contains permission info carried in an admission request.
func (*RequestInfo) DeepCopy ¶ added in v1.1.0
func (in *RequestInfo) DeepCopy() *RequestInfo
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RequestInfo.
func (*RequestInfo) DeepCopyInto ¶ added in v1.1.0
func (in *RequestInfo) DeepCopyInto(out *RequestInfo)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type ResourceDescription ¶
type ResourceDescription struct { // Kinds is a list of resource kinds. // +optional Kinds []string `json:"kinds,omitempty" yaml:"kinds,omitempty"` // Name is the name of the resource. The name supports wildcard characters // "*" (matches zero or many characters) and "?" (at least one character). // +optional Name string `json:"name,omitempty" yaml:"name,omitempty"` // Namespaces is a list of namespaces names. Each name supports wildcard characters // "*" (matches zero or many characters) and "?" (at least one character). // +optional Namespaces []string `json:"namespaces,omitempty" yaml:"namespaces,omitempty"` // Annotations is a map of annotations (key-value pairs of type string). Annotation keys // and values support the wildcard characters "*" (matches zero or many characters) and // "?" (matches at least one character). // +optional Annotations map[string]string `json:"annotations,omitempty" yaml:"annotations,omitempty"` // Selector is a label selector. Label keys and values in `matchLabels` support the wildcard // characters `*` (matches zero or many characters) and `?` (matches one character). // Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that // using ["*" : "*"] matches any key and value but does not match an empty label set. // +optional Selector *metav1.LabelSelector `json:"selector,omitempty" yaml:"selector,omitempty"` // NamespaceSelector is a label selector for the resource namespace. Label keys and values // in `matchLabels` support the wildcard characters `*` (matches zero or many characters) // and `?` (matches one character).Wildcards allows writing label selectors like // ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but // does not match an empty label set. // +optional NamespaceSelector *metav1.LabelSelector `json:"namespaceSelector,omitempty" yaml:"namespaceSelector,omitempty"` }
ResourceDescription contains criteria used to match resources.
func (*ResourceDescription) DeepCopy ¶
func (in *ResourceDescription) DeepCopy() *ResourceDescription
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourceDescription.
func (*ResourceDescription) DeepCopyInto ¶
func (in *ResourceDescription) DeepCopyInto(out *ResourceDescription)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type ResourceSpec ¶
type ResourceSpec struct { // APIVersion specifies resource apiVersion. // +optional APIVersion string `json:"apiVersion,omitempty" yaml:"apiVersion,omitempty"` // Kind specifies resource kind. Kind string `json:"kind,omitempty" yaml:"kind,omitempty"` // Namespace specifies resource namespace. // +optional Namespace string `json:"namespace,omitempty" yaml:"namespace,omitempty"` // Name specifies the resource name. Name string `json:"name,omitempty" yaml:"name,omitempty"` }
ResourceSpec contains information to identify a resource.
func (*ResourceSpec) DeepCopy ¶
func (in *ResourceSpec) DeepCopy() *ResourceSpec
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourceSpec.
func (*ResourceSpec) DeepCopyInto ¶
func (in *ResourceSpec) DeepCopyInto(out *ResourceSpec)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (ResourceSpec) ToKey ¶
func (rs ResourceSpec) ToKey() string
ToKey generates the key string used for adding label to polivy violation
type Rule ¶
type Rule struct { // Name is a label to identify the rule, It must be unique within the policy. // +kubebuilder:validation:MaxLength=63 Name string `json:"name,omitempty" yaml:"name,omitempty"` // Context defines variables and data sources that can be used during rule execution. // +optional Context []ContextEntry `json:"context,omitempty" yaml:"context,omitempty"` // MatchResources defines when this policy rule should be applied. The match // criteria can include resource information (e.g. kind, name, namespace, labels) // and admission review request information like the user name or role. // At least one kind is required. MatchResources MatchResources `json:"match,omitempty" yaml:"match,omitempty"` // ExcludeResources defines when this policy rule should not be applied. The exclude // criteria can include resource information (e.g. kind, name, namespace, labels) // and admission review request information like the name or role. // +optional ExcludeResources ExcludeResources `json:"exclude,omitempty" yaml:"exclude,omitempty"` // AnyAllConditions enable variable-based conditional rule execution. This is useful for // finer control of when an rule is applied. A condition can reference object data // using JMESPath notation. // This too can be made to happen in a logical-manner where in some situation all the conditions need to pass // and in some other situation, atleast one condition is enough to pass. // For the sake of backwards compatibility, it can be populated with []kyverno.Condition. // +kubebuilder:validation:XPreserveUnknownFields // +optional AnyAllConditions apiextensions.JSON `json:"preconditions,omitempty" yaml:"preconditions,omitempty"` // Mutation is used to modify matching resources. // +optional Mutation Mutation `json:"mutate,omitempty" yaml:"mutate,omitempty"` // Validation is used to validate matching resources. // +optional Validation Validation `json:"validate,omitempty" yaml:"validate,omitempty"` // Generation is used to create new resources. // +optional Generation Generation `json:"generate,omitempty" yaml:"generate,omitempty"` }
Rule defines a validation, mutation, or generation control for matching resources. Each rules contains a match declaration to select resources, and an optional exclude declaration to specify which resources to exclude.
func (*Rule) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Rule.
func (*Rule) DeepCopyInto ¶
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type RuleStats ¶
type RuleStats struct { // Name is the rule name. Name string `json:"ruleName" yaml:"ruleName"` // ExecutionTime is the average time taken to execute this rule. // +optional ExecutionTime string `json:"averageExecutionTime,omitempty" yaml:"averageExecutionTime,omitempty"` // ViolationCount is the total count of policy failure results for this rule. // +optional ViolationCount int `json:"violationCount,omitempty" yaml:"violationCount,omitempty"` // FailedCount is the total count of policy error results for this rule. // +optional FailedCount int `json:"failedCount,omitempty" yaml:"failedCount,omitempty"` // AppliedCount is the total number of times this rule was applied. // +optional AppliedCount int `json:"appliedCount,omitempty" yaml:"appliedCount,omitempty"` // ResourcesBlockedCount is the total count of admission review requests that were blocked by this rule. // +optional ResourcesBlockedCount int `json:"resourcesBlockedCount,omitempty" yaml:"resourcesBlockedCount,omitempty"` // ResourcesMutatedCount is the total count of resources that were mutated by this rule. // +optional ResourcesMutatedCount int `json:"resourcesMutatedCount,omitempty" yaml:"resourcesMutatedCount,omitempty"` // ResourcesGeneratedCount is the total count of resources that were generated by this rule. // +optional ResourcesGeneratedCount int `json:"resourcesGeneratedCount,omitempty" yaml:"resourcesGeneratedCount,omitempty"` }
RuleStats provides statistics for an individual rule within a policy.
func (*RuleStats) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RuleStats.
func (*RuleStats) DeepCopyInto ¶
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type Spec ¶
type Spec struct { // Rules is a list of Rule instances. A Policy contains multiple rules and // each rule can validate, mutate, or generate resources. Rules []Rule `json:"rules,omitempty" yaml:"rules,omitempty"` // ValidationFailureAction controls if a validation policy rule failure should disallow // the admission review request (enforce), or allow (audit) the admission review request // and report an error in a policy report. Optional. The default value is "audit". // +optional ValidationFailureAction string `json:"validationFailureAction,omitempty" yaml:"validationFailureAction,omitempty"` // Background controls if rules are applied to existing resources during a background scan. // Optional. Default value is "true". The value must be set to "false" if the policy rule // uses variables that are only available in the admission review request (e.g. user name). // +optional Background *bool `json:"background,omitempty" yaml:"background,omitempty"` }
Spec contains a list of Rule instances and other policy controls.
func (*Spec) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Spec.
func (*Spec) DeepCopyInto ¶
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type UserInfo ¶ added in v1.1.0
type UserInfo struct { // Roles is the list of namespaced role names for the user. // +optional Roles []string `json:"roles,omitempty" yaml:"roles,omitempty"` // ClusterRoles is the list of cluster-wide role names for the user. // +optional ClusterRoles []string `json:"clusterRoles,omitempty" yaml:"clusterRoles,omitempty"` // Subjects is the list of subject names like users, user groups, and service accounts. // +optional Subjects []rbacv1.Subject `json:"subjects,omitempty" yaml:"subjects,omitempty"` }
UserInfo contains information about the user performing the operation.
func (*UserInfo) DeepCopy ¶ added in v1.1.0
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UserInfo.
func (*UserInfo) DeepCopyInto ¶ added in v1.1.0
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type Validation ¶
type Validation struct { // Message specifies a custom message to be displayed on failure. // +optional Message string `json:"message,omitempty" yaml:"message,omitempty"` // Pattern specifies an overlay-style pattern used to check resources. // +kubebuilder:validation:XPreserveUnknownFields // +optional Pattern apiextensions.JSON `json:"pattern,omitempty" yaml:"pattern,omitempty"` // AnyPattern specifies list of validation patterns. At least one of the patterns // must be satisfied for the validation rule to succeed. // +kubebuilder:validation:XPreserveUnknownFields // +optional AnyPattern apiextensions.JSON `json:"anyPattern,omitempty" yaml:"anyPattern,omitempty"` // Deny defines conditions to fail the validation rule. // +optional Deny *Deny `json:"deny,omitempty" yaml:"deny,omitempty"` }
Validation defines checks to be performed on matching resources.
func (*Validation) DeepCopy ¶
func (in *Validation) DeepCopy() *Validation
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Validation.
func (*Validation) DeepCopyInto ¶
func (in *Validation) DeepCopyInto(out *Validation)
DeepCopyInto is declared because k8s:deepcopy-gen is not able to generate this method for interface{} member
func (*Validation) DeserializeAnyPattern ¶ added in v1.3.0
func (in *Validation) DeserializeAnyPattern() ([]interface{}, error)
DeserializeAnyPattern deserialize apiextensions.JSON to []interface{}
type ViolatedRule ¶
type ViolatedRule struct { // Specifies violated rule name. Name string `json:"name" yaml:"name"` // Specifies violated rule type. Type string `json:"type" yaml:"type"` // Specifies violation message. // +optional Message string `json:"message" yaml:"message"` // +optional Check string `json:"check" yaml:"check"` }
ViolatedRule stores the information regarding the rule.
func (*ViolatedRule) DeepCopy ¶
func (in *ViolatedRule) DeepCopy() *ViolatedRule
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ViolatedRule.
func (*ViolatedRule) DeepCopyInto ¶
func (in *ViolatedRule) DeepCopyInto(out *ViolatedRule)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.