{ "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" }, "kind": { "description": "Kind is a string value representing the REST resource this object represents.\nServers may infer this from the endpoint the client submits requests to.\nCannot be updated.\nIn CamelCase.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string" }, "metadata": { "type": "object" }, "spec": { "description": "ImageValidatingPolicySpec is the specification of the desired behavior of the ImageValidatingPolicy.", "properties": { "attestations": { "description": "Attestations provides a list of image metadata to verify", "items": { "description": "Attestation defines the identification details of the metadata that has to be verified", "properties": { "intoto": { "description": "InToto defines the details of attestation attached using intoto format", "properties": { "type": { "description": "Type defines the type of attestation contained within the statement.", "type": "string" } }, "required": [ "type" ], "type": "object", "additionalProperties": false }, "name": { "description": "Name is the name for this attestation. It is used to refer to the attestation in verification", "type": "string" }, "referrer": { "description": "Referrer defines the details of attestation attached using OCI 1.1 format", "properties": { "type": { "description": "Type defines the type of attestation attached to the image.", "type": "string" } }, "required": [ "type" ], "type": "object", "additionalProperties": false } }, "required": [ "name" ], "type": "object", "additionalProperties": false }, "type": "array" }, "attestors": { "description": "Attestors provides a list of trusted authorities.", "items": { "description": "Attestor is an identity that confirms or verifies the authenticity of an image or an attestation", "oneOf": [ { "required": [ "cosign" ] }, { "required": [ "notary" ] } ], "properties": { "cosign": { "description": "Cosign defines attestor configuration for Cosign based signatures", "properties": { "annotations": { "additionalProperties": { "type": "string" }, "description": "Annotations are used for image verification.\nEvery specified key-value pair must exist and match in the verified payload.\nThe payload may contain other key-value pairs.", "type": "object" }, "certificate": { "description": "Certificate defines the configuration for local signature verification", "properties": { "cert": { "description": "Certificate is the to the public certificate for local signature verification.", "oneOf": [ { "required": [ "value" ] }, { "required": [ "expression" ] } ], "properties": { "expression": { "description": "Expression defines the a CEL expression input.", "type": "string" }, "value": { "description": "Value defines the raw string input.", "type": "string" } }, "type": "object", "additionalProperties": false }, "certChain": { "description": "CertificateChain is the list of CA certificates in PEM format which will be needed\nwhen building the certificate chain for the signing certificate. Must start with the\nparent intermediate CA certificate of the signing certificate and end with the root certificate", "oneOf": [ { "required": [ "value" ] }, { "required": [ "expression" ] } ], "properties": { "expression": { "description": "Expression defines the a CEL expression input.", "type": "string" }, "value": { "description": "Value defines the raw string input.", "type": "string" } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "ctlog": { "description": "CTLog sets the configuration to verify the authority against a Rekor instance.", "properties": { "ctLogPubKey": { "description": "CTLogPubKey, if set, is used to validate SCTs against a custom source.", "type": "string" }, "insecureIgnoreSCT": { "description": "IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.", "type": "boolean" }, "insecureIgnoreTlog": { "description": "InsecureIgnoreTlog skips transparency log verification.", "type": "boolean" }, "rekorPubKey": { "description": "RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.", "type": "string" }, "tsaCertChain": { "description": "TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must\ncontain the root CA certificate. Optionally may contain intermediate CA certificates, and\nmay contain the leaf TSA certificate if not present in the timestamurce.", "type": "string" }, "url": { "description": "URL sets the url to the rekor instance (by default the public rekor.sigstore.dev)", "type": "string" } }, "type": "object", "additionalProperties": false }, "key": { "description": "Key defines the type of key to validate the image.", "properties": { "data": { "description": "Data contains the inline public key", "type": "string" }, "expression": { "description": "Expression is a Expression expression that returns the public key.", "type": "string" }, "hashAlgorithm": { "description": "HashAlgorithm specifues signature algorithm for public keys. Supported values are\nsha224, sha256, sha384 and sha512. Defaults to sha256.", "type": "string" }, "kms": { "description": "KMS contains the KMS url of the public key\nSupported formats differ based on the KMS system used.", "type": "string" } }, "type": "object", "additionalProperties": false }, "keyless": { "description": "Keyless sets the configuration to verify the authority against a Fulcio instance.", "properties": { "identities": { "description": "Identities sets a list of identities.", "items": { "description": "Identity may contain the issuer and/or the subject found in the transparency\nlog.\nIssuer/Subject uses a strict match, while IssuerRegExp and SubjectRegExp\napply a regexp for matching.", "properties": { "issuer": { "description": "Issuer defines the issuer for this identity.", "type": "string" }, "issuerRegExp": { "description": "IssuerRegExp specifies a regular expression to match the issuer for this identity.", "type": "string" }, "subject": { "description": "Subject defines the subject for this identity.", "type": "string" }, "subjectRegExp": { "description": "SubjectRegExp specifies a regular expression to match the subject for this identity.", "type": "string" } }, "type": "object", "additionalProperties": false }, "type": "array" }, "roots": { "description": "Roots is an optional set of PEM encoded trusted root certificates.\nIf not provided, the system roots are used.", "type": "string" } }, "required": [ "identities" ], "type": "object", "additionalProperties": false }, "source": { "description": "Sources sets the configuration to specify the sources from where to consume the signature and attestations.", "properties": { "PullSecrets": { "description": "SignaturePullSecrets is an optional list of references to secrets in the\nsame namespace as the deploying resource for pulling any of the signatures\nused by this Source.", "items": { "description": "LocalObjectReference contains enough information to let you locate the\nreferenced object inside the same namespace.", "properties": { "name": { "default": "", "description": "Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names", "type": "string" } }, "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false }, "type": "array" }, "repository": { "description": "Repository defines the location from where to pull the signature / attestations.", "type": "string" }, "tagPrefix": { "description": "TagPrefix is an optional prefix that signature and attestations have.\nThis is the 'tag based discovery' and in the future once references are\nfully supported that should likely be the preferred way to handle these.", "type": "string" } }, "type": "object", "additionalProperties": false }, "tuf": { "description": "TUF defines the configuration to fetch sigstore root", "properties": { "mirror": { "description": "Mirror is the base URL of Sigstore TUF repository", "type": "string" }, "root": { "description": "Root defines the path or data of the trusted root", "properties": { "data": { "description": "Data is the base64 encoded TUF root", "type": "string" }, "path": { "description": "Path is the URL or File location of the TUF root", "type": "string" } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "name": { "description": "Name is the name for this attestor. It is used to refer to the attestor in verification", "type": "string" }, "notary": { "description": "Notary defines attestor configuration for Notary based signatures", "properties": { "certs": { "description": "Certs define the cert chain for Notary signature verification", "oneOf": [ { "required": [ "value" ] }, { "required": [ "expression" ] } ], "properties": { "expression": { "description": "Expression defines the a CEL expression input.", "type": "string" }, "value": { "description": "Value defines the raw string input.", "type": "string" } }, "type": "object", "additionalProperties": false }, "tsaCerts": { "description": "TSACerts define the cert chain for verifying timestamps of notary signature", "oneOf": [ { "required": [ "value" ] }, { "required": [ "expression" ] } ], "properties": { "expression": { "description": "Expression defines the a CEL expression input.", "type": "string" }, "value": { "description": "Value defines the raw string input.", "type": "string" } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false } }, "required": [ "name" ], "type": "object", "additionalProperties": false }, "type": "array" }, "auditAnnotations": { "description": "auditAnnotations contains CEL expressions which are used to produce audit\nannotations for the audit event of the API request.\nvalidations and auditAnnotations may not both be empty; a least one of validations or auditAnnotations is\nrequired.", "items": { "description": "AuditAnnotation describes how to produce an audit annotation for an API request.", "properties": { "key": { "description": "key specifies the audit annotation key. The audit annotation keys of\na ValidatingAdmissionPolicy must be unique. The key must be a qualified\nname ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.\n\nThe key is combined with the resource name of the\nValidatingAdmissionPolicy to construct an audit annotation key:\n\"{ValidatingAdmissionPolicy name}/{key}\".\n\nIf an admission webhook uses the same resource name as this ValidatingAdmissionPolicy\nand the same audit annotation key, the annotation key will be identical.\nIn this case, the first annotation written with the key will be included\nin the audit event and all subsequent annotations with the same key\nwill be discarded.\n\nRequired.", "type": "string" }, "valueExpression": { "description": "valueExpression represents the expression which is evaluated by CEL to\nproduce an audit annotation value. The expression must evaluate to either\na string or null value. If the expression evaluates to a string, the\naudit annotation is included with the string value. If the expression\nevaluates to null or empty string the audit annotation will be omitted.\nThe valueExpression may be no longer than 5kb in length.\nIf the result of the valueExpression is more than 10kb in length, it\nwill be truncated to 10kb.\n\nIf multiple ValidatingAdmissionPolicyBinding resources match an\nAPI request, then the valueExpression will be evaluated for\neach binding. All unique values produced by the valueExpressions\nwill be joined together in a comma-separated list.\n\nRequired.", "type": "string" } }, "required": [ "key", "valueExpression" ], "type": "object", "additionalProperties": false }, "type": "array", "x-kubernetes-list-type": "atomic" }, "autogen": { "description": "AutogenConfiguration defines the configuration for the generation controller.", "properties": { "podControllers": { "description": "PodControllers specifies whether to generate a pod controllers rules.", "properties": { "controllers": { "items": { "type": "string" }, "type": "array" } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "credentials": { "description": "Credentials provides credentials that will be used for authentication with registry.", "properties": { "allowInsecureRegistry": { "description": "AllowInsecureRegistry allows insecure access to a registry.", "type": "boolean" }, "providers": { "description": "Providers specifies a list of OCI Registry names, whose authentication providers are provided.\nIt can be of one of these values: default,google,azure,amazon,github.", "items": { "description": "CredentialsProvidersType provides the list of credential providers required.", "enum": [ "default", "amazon", "azure", "google", "github" ], "type": "string" }, "type": "array" }, "secrets": { "description": "Secrets specifies a list of secrets that are provided for credentials.\nSecrets must live in the Kyverno namespace.", "items": { "type": "string" }, "type": "array" } }, "type": "object", "additionalProperties": false }, "evaluation": { "description": "EvaluationConfiguration defines the configuration for the policy evaluation.", "properties": { "admission": { "description": "Admission controls policy evaluation during admission.", "properties": { "enabled": { "default": true, "description": "Enabled controls if rules are applied during admission.\nOptional. Default value is \"true\".", "type": "boolean" } }, "type": "object", "additionalProperties": false }, "background": { "description": "Background controls policy evaluation during background scan.", "properties": { "enabled": { "default": true, "description": "Enabled controls if rules are applied to existing resources during a background scan.\nOptional. Default value is \"true\". The value must be set to \"false\" if the policy rule\nuses variables that are only available in the admission review request (e.g. user name).", "type": "boolean" } }, "type": "object", "additionalProperties": false }, "mode": { "description": "Mode is the mode of policy evaluation.\nAllowed values are \"Kubernetes\" or \"JSON\".\nOptional. Default value is \"Kubernetes\".", "type": "string" } }, "type": "object", "additionalProperties": false }, "failurePolicy": { "description": "FailurePolicy defines how to handle failures for the admission policy. Failures can\noccur from CEL expression parse errors, type check errors, runtime errors and invalid\nor mis-configured policy definitions or bindings.", "enum": [ "Ignore", "Fail" ], "type": "string" }, "images": { "description": "ImageExtractors is a list of CEL expression to extract images from the resource", "items": { "properties": { "expression": { "description": "Expression defines CEL expression to extract images from the resource.", "type": "string" }, "name": { "description": "Name is the name for this imageList. It is used to refer to the images in verification block as images.", "type": "string" } }, "required": [ "expression", "name" ], "type": "object", "additionalProperties": false }, "type": "array" }, "matchConditions": { "description": "MatchConditions is a list of conditions that must be met for a request to be validated.\nMatch conditions filter requests that have already been matched by the rules,\nnamespaceSelector, and objectSelector. An empty list of matchConditions matches all requests.\nThere are a maximum of 64 match conditions allowed.", "items": { "description": "MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook.", "properties": { "expression": { "description": "Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.\nCEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:\n\n'object' - The object from the incoming request. The value is null for DELETE requests.\n'oldObject' - The existing object. The value is null for CREATE requests.\n'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).\n'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n request resource.\nDocumentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/\n\nRequired.", "type": "string" }, "name": { "description": "Name is an identifier for this match condition, used for strategic merging of MatchConditions,\nas well as providing an identifier for logging purposes. A good name should be descriptive of\nthe associated expression.\nName must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and\nmust start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or\n'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an\noptional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')\n\nRequired.", "type": "string" } }, "required": [ "expression", "name" ], "type": "object", "additionalProperties": false }, "type": "array" }, "matchConstraints": { "description": "MatchConstraints specifies what resources this policy is designed to validate.", "properties": { "excludeResourceRules": { "description": "ExcludeResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy should not care about.\nThe exclude rules take precedence over include rules (if a resource matches both, it is excluded)", "items": { "description": "NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.", "properties": { "apiGroups": { "description": "APIGroups is the API groups the resources belong to. '*' is all groups.\nIf '*' is present, the length of the slice must be one.\nRequired.", "items": { "type": "string" }, "type": "array", "x-kubernetes-list-type": "atomic" }, "apiVersions": { "description": "APIVersions is the API versions the resources belong to. '*' is all versions.\nIf '*' is present, the length of the slice must be one.\nRequired.", "items": { "type": "string" }, "type": "array", "x-kubernetes-list-type": "atomic" }, "operations": { "description": "Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or *\nfor all of those operations and any future admission operations that are added.\nIf '*' is present, the length of the slice must be one.\nRequired.", "items": { "description": "OperationType specifies an operation for a request.", "type": "string" }, "type": "array", "x-kubernetes-list-type": "atomic" }, "resourceNames": { "description": "ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed.", "items": { "type": "string" }, "type": "array", "x-kubernetes-list-type": "atomic" }, "resources": { "description": "Resources is a list of resources this rule applies to.\n\nFor example:\n'pods' means pods.\n'pods/log' means the log subresource of pods.\n'*' means all resources, but not subresources.\n'pods/*' means all subresources of pods.\n'*/scale' means all scale subresources.\n'*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not\noverlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed.\nRequired.", "items": { "type": "string" }, "type": "array", "x-kubernetes-list-type": "atomic" }, "scope": { "description": "scope specifies the scope of this rule.\nValid values are \"Cluster\", \"Namespaced\", and \"*\"\n\"Cluster\" means that only cluster-scoped resources will match this rule.\nNamespace API objects are cluster-scoped.\n\"Namespaced\" means that only namespaced resources will match this rule.\n\"*\" means that there are no scope restrictions.\nSubresources match the scope of their parent resource.\nDefault is \"*\".", "type": "string" } }, "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false }, "type": "array", "x-kubernetes-list-type": "atomic" }, "matchPolicy": { "description": "matchPolicy defines how the \"MatchResources\" list is used to match incoming requests.\nAllowed values are \"Exact\" or \"Equivalent\".\n\n- Exact: match a request only if it exactly matches a specified rule.\nFor example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,\nbut \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`,\na request to apps/v1beta1 or extensions/v1beta1 would not be sent to the ValidatingAdmissionPolicy.\n\n- Equivalent: match a request if modifies a resource listed in rules, even via another API group or version.\nFor example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,\nand \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`,\na request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the ValidatingAdmissionPolicy.\n\nDefaults to \"Equivalent\"", "type": "string" }, "namespaceSelector": { "description": "NamespaceSelector decides whether to run the admission control policy on an object based\non whether the namespace for that object matches the selector. If the\nobject itself is a namespace, the matching is performed on\nobject.metadata.labels. If the object is another cluster scoped resource,\nit never skips the policy.\n\nFor example, to run the webhook on any objects whose namespace is not\nassociated with \"runlevel\" of \"0\" or \"1\"; you will set the selector as\nfollows:\n\"namespaceSelector\": {\n \"matchExpressions\": [\n {\n \"key\": \"runlevel\",\n \"operator\": \"NotIn\",\n \"values\": [\n \"0\",\n \"1\"\n ]\n }\n ]\n}\n\nIf instead you want to only run the policy on any objects whose\nnamespace is associated with the \"environment\" of \"prod\" or \"staging\";\nyou will set the selector as follows:\n\"namespaceSelector\": {\n \"matchExpressions\": [\n {\n \"key\": \"environment\",\n \"operator\": \"In\",\n \"values\": [\n \"prod\",\n \"staging\"\n ]\n }\n ]\n}\n\nSee\nhttps://kubernetes.io/docs/concepts/overview/working-with-objects/labels/\nfor more examples of label selectors.\n\nDefault to the empty LabelSelector, which matches everything.", "properties": { "matchExpressions": { "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", "items": { "description": "A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.", "properties": { "key": { "description": "key is the label key that the selector applies to.", "type": "string" }, "operator": { "description": "operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.", "type": "string" }, "values": { "description": "values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.", "items": { "type": "string" }, "type": "array", "x-kubernetes-list-type": "atomic" } }, "required": [ "key", "operator" ], "type": "object", "additionalProperties": false }, "type": "array", "x-kubernetes-list-type": "atomic" }, "matchLabels": { "additionalProperties": { "type": "string" }, "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", "type": "object" } }, "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false }, "objectSelector": { "description": "ObjectSelector decides whether to run the validation based on if the\nobject has matching labels. objectSelector is evaluated against both\nthe oldObject and newObject that would be sent to the cel validation, and\nis considered to match if either object matches the selector. A null\nobject (oldObject in the case of create, or newObject in the case of\ndelete) or an object that cannot have labels (like a\nDeploymentRollback or a PodProxyOptions object) is not considered to\nmatch.\nUse the object selector only if the webhook is opt-in, because end\nusers may skip the admission webhook by setting the labels.\nDefault to the empty LabelSelector, which matches everything.", "properties": { "matchExpressions": { "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", "items": { "description": "A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.", "properties": { "key": { "description": "key is the label key that the selector applies to.", "type": "string" }, "operator": { "description": "operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.", "type": "string" }, "values": { "description": "values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.", "items": { "type": "string" }, "type": "array", "x-kubernetes-list-type": "atomic" } }, "required": [ "key", "operator" ], "type": "object", "additionalProperties": false }, "type": "array", "x-kubernetes-list-type": "atomic" }, "matchLabels": { "additionalProperties": { "type": "string" }, "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", "type": "object" } }, "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false }, "resourceRules": { "description": "ResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy matches.\nThe policy cares about an operation if it matches _any_ Rule.", "items": { "description": "NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.", "properties": { "apiGroups": { "description": "APIGroups is the API groups the resources belong to. '*' is all groups.\nIf '*' is present, the length of the slice must be one.\nRequired.", "items": { "type": "string" }, "type": "array", "x-kubernetes-list-type": "atomic" }, "apiVersions": { "description": "APIVersions is the API versions the resources belong to. '*' is all versions.\nIf '*' is present, the length of the slice must be one.\nRequired.", "items": { "type": "string" }, "type": "array", "x-kubernetes-list-type": "atomic" }, "operations": { "description": "Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or *\nfor all of those operations and any future admission operations that are added.\nIf '*' is present, the length of the slice must be one.\nRequired.", "items": { "description": "OperationType specifies an operation for a request.", "type": "string" }, "type": "array", "x-kubernetes-list-type": "atomic" }, "resourceNames": { "description": "ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed.", "items": { "type": "string" }, "type": "array", "x-kubernetes-list-type": "atomic" }, "resources": { "description": "Resources is a list of resources this rule applies to.\n\nFor example:\n'pods' means pods.\n'pods/log' means the log subresource of pods.\n'*' means all resources, but not subresources.\n'pods/*' means all subresources of pods.\n'*/scale' means all scale subresources.\n'*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not\noverlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed.\nRequired.", "items": { "type": "string" }, "type": "array", "x-kubernetes-list-type": "atomic" }, "scope": { "description": "scope specifies the scope of this rule.\nValid values are \"Cluster\", \"Namespaced\", and \"*\"\n\"Cluster\" means that only cluster-scoped resources will match this rule.\nNamespace API objects are cluster-scoped.\n\"Namespaced\" means that only namespaced resources will match this rule.\n\"*\" means that there are no scope restrictions.\nSubresources match the scope of their parent resource.\nDefault is \"*\".", "type": "string" } }, "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false }, "type": "array", "x-kubernetes-list-type": "atomic" } }, "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false }, "matchImageReferences": { "description": "MatchImageReferences is a list of Glob and CELExpressions to match images.\nAny image that matches one of the rules is considered for validation\nAny image that does not match a rule is skipped, even when they are passed as arguments to\nimage verification functions", "items": { "description": "MatchImageReference defines a Glob or a CEL expression for matching images", "oneOf": [ { "required": [ "glob" ] }, { "required": [ "expression" ] } ], "properties": { "expression": { "description": "Expression defines CEL Expressions for matching images", "type": "string" }, "glob": { "description": "Glob defines a globbing pattern for matching images", "type": "string" } }, "type": "object", "additionalProperties": false }, "type": "array" }, "validationActions": { "description": "ValidationAction specifies the action to be taken when the matched resource violates the policy.\nIf a validation evaluates to false it is always enforced according to these actions.\n\nFailures defined by the ValidatingAdmissionPolicy's FailurePolicy are enforced according\nto these actions only if the FailurePolicy is set to Fail, otherwise the failures are\nignored. This includes compilation errors, runtime errors and misconfigurations of the policy.\n\nvalidationActions is declared as a set of action values. Order does\nnot matter. validationActions may not contain duplicates of the same action.\n\nThe supported actions values are:\n\n\"Deny\" specifies that a validation failure results in a denied request.\n\n\"Warn\" specifies that a validation failure is reported to the request client\nin HTTP Warning headers, with a warning code of 299. Warnings can be sent\nboth for allowed or denied admission responses.\n\n\"Audit\" specifies that a validation failure is recorded in the created reports.\n\nClients should expect to handle additional values by ignoring\nany values not recognized.\n\n\"Deny\" and \"Warn\" may not be used together since this combination\nneedlessly duplicates the validation failure both in the\nAPI response body and the HTTP warning headers.\n\nRequired.", "items": { "description": "ValidationAction specifies a policy enforcement action.", "enum": [ "Deny", "Audit", "Warn" ], "type": "string" }, "type": "array", "x-kubernetes-list-type": "set" }, "validationConfigurations": { "default": {}, "description": "ValidationConfigurations defines settings for mutating and verifying image digests, and enforcing image verification through signatures.", "properties": { "mutateDigest": { "default": true, "description": "MutateDigest enables replacement of image tags with digests.\nDefaults to true.", "type": "boolean" }, "required": { "default": true, "description": "Required validates that images are verified, i.e., have passed a signature or attestation check.", "type": "boolean" }, "verifyDigest": { "default": true, "description": "VerifyDigest validates that images have a digest.", "type": "boolean" } }, "type": "object", "additionalProperties": false }, "validations": { "description": "Validations contain CEL expressions which is used to apply the image validation checks.", "items": { "description": "Validation specifies the CEL expression which is used to apply the validation.", "properties": { "expression": { "description": "Expression represents the expression which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL expressions have access to the contents of the API request/response, organized into CEL variables as well as some other useful variables:\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests.\n- 'oldObject' - The existing object. The value is null for CREATE requests.\n- 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind.\n- 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources.\n- 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n request resource.\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the\nobject. No other metadata properties are accessible.\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible.\nAccessible property names are escaped according to the following rules when accessed in the expression:\n- '__' escapes to '__underscores__'\n- '.' escapes to '__dot__'\n- '-' escapes to '__dash__'\n- '/' escapes to '__slash__'\n- Property names that exactly match a CEL RESERVED keyword escape to '__{keyword}__'. The keywords are:\n\t \"true\", \"false\", \"null\", \"in\", \"as\", \"break\", \"const\", \"continue\", \"else\", \"for\", \"function\", \"if\",\n\t \"import\", \"let\", \"loop\", \"package\", \"namespace\", \"return\".\nExamples:\n - Expression accessing a property named \"namespace\": {\"Expression\": \"object.__namespace__ > 0\"}\n - Expression accessing a property named \"x-prop\": {\"Expression\": \"object.x__dash__prop > 0\"}\n - Expression accessing a property named \"redact__d\": {\"Expression\": \"object.redact__underscores__d > 0\"}\n\nEquality on arrays with list type of 'set' or 'map' ignores element order, i.e. [1, 2] == [2, 1].\nConcatenation on arrays with x-kubernetes-list-type use the semantics of the list type:\n - 'set': `X + Y` performs a union where the array positions of all elements in `X` are preserved and\n non-intersecting elements in `Y` are appended, retaining their partial order.\n - 'map': `X + Y` performs a merge where the array positions of all keys in `X` are preserved but the values\n are overwritten by values in `Y` when the key sets of `X` and `Y` intersect. Elements in `Y` with\n non-intersecting keys are appended, retaining their partial order.\nRequired.", "type": "string" }, "message": { "description": "Message represents the message displayed when validation fails. The message is required if the Expression contains\nline breaks. The message must not contain line breaks.\nIf unset, the message is \"failed rule: {Rule}\".\ne.g. \"must be a URL with the host matching spec.host\"\nIf the Expression contains line breaks. Message is required.\nThe message must not contain line breaks.\nIf unset, the message is \"failed Expression: {Expression}\".", "type": "string" }, "messageExpression": { "description": "messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails.\nSince messageExpression is used as a failure message, it must evaluate to a string.\nIf both message and messageExpression are present on a validation, then messageExpression will be used if validation fails.\nIf messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced\nas if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string\nthat contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and\nthe fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged.\nmessageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'.\nExample:\n\"object.x must be less than max (\"+string(params.max)+\")\"", "type": "string" }, "reason": { "description": "Reason represents a machine-readable description of why this validation failed.\nIf this is the first validation in the list to fail, this reason, as well as the\ncorresponding HTTP response code, are used in the\nHTTP response to the client.\nThe currently supported reasons are: \"Unauthorized\", \"Forbidden\", \"Invalid\", \"RequestEntityTooLarge\".\nIf not set, StatusReasonInvalid is used in the response to the client.", "type": "string" } }, "required": [ "expression" ], "type": "object", "additionalProperties": false }, "type": "array", "x-kubernetes-list-type": "atomic" }, "variables": { "description": "Variables contain definitions of variables that can be used in composition of other expressions.\nEach variable is defined as a named CEL expression.", "items": { "description": "Variable is the definition of a variable that is used for composition. A variable is defined as a named expression.", "properties": { "expression": { "description": "Expression is the expression that will be evaluated as the value of the variable.\nThe CEL expression has access to the same identifiers as the CEL expressions in Validation.", "type": "string" }, "name": { "description": "Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables.\nThe variable can be accessed in other expressions through `variables`\nFor example, if name is \"foo\", the variable will be available as `variables.foo`", "type": "string" } }, "required": [ "expression", "name" ], "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false }, "type": "array" }, "webhookConfiguration": { "description": "WebhookConfiguration defines the configuration for the webhook.", "properties": { "timeoutSeconds": { "description": "TimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.\nAfter the configured time expires, the admission request may fail, or may simply ignore the policy results,\nbased on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.", "format": "int32", "type": "integer" } }, "type": "object", "additionalProperties": false } }, "required": [ "attestors", "validations" ], "type": "object", "additionalProperties": false }, "status": { "description": "Status contains policy runtime data.", "properties": { "autogen": { "properties": { "configs": { "additionalProperties": { "properties": { "spec": { "description": "ImageValidatingPolicySpec is the specification of the desired behavior of the ImageValidatingPolicy.", "properties": { "attestations": { "description": "Attestations provides a list of image metadata to verify", "items": { "description": "Attestation defines the identification details of the metadata that has to be verified", "properties": { "intoto": { "description": "InToto defines the details of attestation attached using intoto format", "properties": { "type": { "description": "Type defines the type of attestation contained within the statement.", "type": "string" } }, "required": [ "type" ], "type": "object", "additionalProperties": false }, "name": { "description": "Name is the name for this attestation. It is used to refer to the attestation in verification", "type": "string" }, "referrer": { "description": "Referrer defines the details of attestation attached using OCI 1.1 format", "properties": { "type": { "description": "Type defines the type of attestation attached to the image.", "type": "string" } }, "required": [ "type" ], "type": "object", "additionalProperties": false } }, "required": [ "name" ], "type": "object", "additionalProperties": false }, "type": "array" }, "attestors": { "description": "Attestors provides a list of trusted authorities.", "items": { "description": "Attestor is an identity that confirms or verifies the authenticity of an image or an attestation", "oneOf": [ { "required": [ "cosign" ] }, { "required": [ "notary" ] } ], "properties": { "cosign": { "description": "Cosign defines attestor configuration for Cosign based signatures", "properties": { "annotations": { "additionalProperties": { "type": "string" }, "description": "Annotations are used for image verification.\nEvery specified key-value pair must exist and match in the verified payload.\nThe payload may contain other key-value pairs.", "type": "object" }, "certificate": { "description": "Certificate defines the configuration for local signature verification", "properties": { "cert": { "description": "Certificate is the to the public certificate for local signature verification.", "oneOf": [ { "required": [ "value" ] }, { "required": [ "expression" ] } ], "properties": { "expression": { "description": "Expression defines the a CEL expression input.", "type": "string" }, "value": { "description": "Value defines the raw string input.", "type": "string" } }, "type": "object", "additionalProperties": false }, "certChain": { "description": "CertificateChain is the list of CA certificates in PEM format which will be needed\nwhen building the certificate chain for the signing certificate. Must start with the\nparent intermediate CA certificate of the signing certificate and end with the root certificate", "oneOf": [ { "required": [ "value" ] }, { "required": [ "expression" ] } ], "properties": { "expression": { "description": "Expression defines the a CEL expression input.", "type": "string" }, "value": { "description": "Value defines the raw string input.", "type": "string" } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "ctlog": { "description": "CTLog sets the configuration to verify the authority against a Rekor instance.", "properties": { "ctLogPubKey": { "description": "CTLogPubKey, if set, is used to validate SCTs against a custom source.", "type": "string" }, "insecureIgnoreSCT": { "description": "IgnoreSCT defines whether to use the Signed Certificate Timestamp (SCT) log to check for a certificate\ntimestamp. Default is false. Set to true if this was opted out during signing.", "type": "boolean" }, "insecureIgnoreTlog": { "description": "InsecureIgnoreTlog skips transparency log verification.", "type": "boolean" }, "rekorPubKey": { "description": "RekorPubKey is an optional PEM-encoded public key to use for a custom Rekor.\nIf set, this will be used to validate transparency log signatures from a custom Rekor.", "type": "string" }, "tsaCertChain": { "description": "TSACertChain, if set, is the PEM-encoded certificate chain file for the RFC3161 timestamp authority. Must\ncontain the root CA certificate. Optionally may contain intermediate CA certificates, and\nmay contain the leaf TSA certificate if not present in the timestamurce.", "type": "string" }, "url": { "description": "URL sets the url to the rekor instance (by default the public rekor.sigstore.dev)", "type": "string" } }, "type": "object", "additionalProperties": false }, "key": { "description": "Key defines the type of key to validate the image.", "properties": { "data": { "description": "Data contains the inline public key", "type": "string" }, "expression": { "description": "Expression is a Expression expression that returns the public key.", "type": "string" }, "hashAlgorithm": { "description": "HashAlgorithm specifues signature algorithm for public keys. Supported values are\nsha224, sha256, sha384 and sha512. Defaults to sha256.", "type": "string" }, "kms": { "description": "KMS contains the KMS url of the public key\nSupported formats differ based on the KMS system used.", "type": "string" } }, "type": "object", "additionalProperties": false }, "keyless": { "description": "Keyless sets the configuration to verify the authority against a Fulcio instance.", "properties": { "identities": { "description": "Identities sets a list of identities.", "items": { "description": "Identity may contain the issuer and/or the subject found in the transparency\nlog.\nIssuer/Subject uses a strict match, while IssuerRegExp and SubjectRegExp\napply a regexp for matching.", "properties": { "issuer": { "description": "Issuer defines the issuer for this identity.", "type": "string" }, "issuerRegExp": { "description": "IssuerRegExp specifies a regular expression to match the issuer for this identity.", "type": "string" }, "subject": { "description": "Subject defines the subject for this identity.", "type": "string" }, "subjectRegExp": { "description": "SubjectRegExp specifies a regular expression to match the subject for this identity.", "type": "string" } }, "type": "object", "additionalProperties": false }, "type": "array" }, "roots": { "description": "Roots is an optional set of PEM encoded trusted root certificates.\nIf not provided, the system roots are used.", "type": "string" } }, "required": [ "identities" ], "type": "object", "additionalProperties": false }, "source": { "description": "Sources sets the configuration to specify the sources from where to consume the signature and attestations.", "properties": { "PullSecrets": { "description": "SignaturePullSecrets is an optional list of references to secrets in the\nsame namespace as the deploying resource for pulling any of the signatures\nused by this Source.", "items": { "description": "LocalObjectReference contains enough information to let you locate the\nreferenced object inside the same namespace.", "properties": { "name": { "default": "", "description": "Name of the referent.\nThis field is effectively required, but due to backwards compatibility is\nallowed to be empty. Instances of this type with an empty value here are\nalmost certainly wrong.\nMore info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names", "type": "string" } }, "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false }, "type": "array" }, "repository": { "description": "Repository defines the location from where to pull the signature / attestations.", "type": "string" }, "tagPrefix": { "description": "TagPrefix is an optional prefix that signature and attestations have.\nThis is the 'tag based discovery' and in the future once references are\nfully supported that should likely be the preferred way to handle these.", "type": "string" } }, "type": "object", "additionalProperties": false }, "tuf": { "description": "TUF defines the configuration to fetch sigstore root", "properties": { "mirror": { "description": "Mirror is the base URL of Sigstore TUF repository", "type": "string" }, "root": { "description": "Root defines the path or data of the trusted root", "properties": { "data": { "description": "Data is the base64 encoded TUF root", "type": "string" }, "path": { "description": "Path is the URL or File location of the TUF root", "type": "string" } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "name": { "description": "Name is the name for this attestor. It is used to refer to the attestor in verification", "type": "string" }, "notary": { "description": "Notary defines attestor configuration for Notary based signatures", "properties": { "certs": { "description": "Certs define the cert chain for Notary signature verification", "oneOf": [ { "required": [ "value" ] }, { "required": [ "expression" ] } ], "properties": { "expression": { "description": "Expression defines the a CEL expression input.", "type": "string" }, "value": { "description": "Value defines the raw string input.", "type": "string" } }, "type": "object", "additionalProperties": false }, "tsaCerts": { "description": "TSACerts define the cert chain for verifying timestamps of notary signature", "oneOf": [ { "required": [ "value" ] }, { "required": [ "expression" ] } ], "properties": { "expression": { "description": "Expression defines the a CEL expression input.", "type": "string" }, "value": { "description": "Value defines the raw string input.", "type": "string" } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false } }, "required": [ "name" ], "type": "object", "additionalProperties": false }, "type": "array" }, "auditAnnotations": { "description": "auditAnnotations contains CEL expressions which are used to produce audit\nannotations for the audit event of the API request.\nvalidations and auditAnnotations may not both be empty; a least one of validations or auditAnnotations is\nrequired.", "items": { "description": "AuditAnnotation describes how to produce an audit annotation for an API request.", "properties": { "key": { "description": "key specifies the audit annotation key. The audit annotation keys of\na ValidatingAdmissionPolicy must be unique. The key must be a qualified\nname ([A-Za-z0-9][-A-Za-z0-9_.]*) no more than 63 bytes in length.\n\nThe key is combined with the resource name of the\nValidatingAdmissionPolicy to construct an audit annotation key:\n\"{ValidatingAdmissionPolicy name}/{key}\".\n\nIf an admission webhook uses the same resource name as this ValidatingAdmissionPolicy\nand the same audit annotation key, the annotation key will be identical.\nIn this case, the first annotation written with the key will be included\nin the audit event and all subsequent annotations with the same key\nwill be discarded.\n\nRequired.", "type": "string" }, "valueExpression": { "description": "valueExpression represents the expression which is evaluated by CEL to\nproduce an audit annotation value. The expression must evaluate to either\na string or null value. If the expression evaluates to a string, the\naudit annotation is included with the string value. If the expression\nevaluates to null or empty string the audit annotation will be omitted.\nThe valueExpression may be no longer than 5kb in length.\nIf the result of the valueExpression is more than 10kb in length, it\nwill be truncated to 10kb.\n\nIf multiple ValidatingAdmissionPolicyBinding resources match an\nAPI request, then the valueExpression will be evaluated for\neach binding. All unique values produced by the valueExpressions\nwill be joined together in a comma-separated list.\n\nRequired.", "type": "string" } }, "required": [ "key", "valueExpression" ], "type": "object", "additionalProperties": false }, "type": "array", "x-kubernetes-list-type": "atomic" }, "autogen": { "description": "AutogenConfiguration defines the configuration for the generation controller.", "properties": { "podControllers": { "description": "PodControllers specifies whether to generate a pod controllers rules.", "properties": { "controllers": { "items": { "type": "string" }, "type": "array" } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "credentials": { "description": "Credentials provides credentials that will be used for authentication with registry.", "properties": { "allowInsecureRegistry": { "description": "AllowInsecureRegistry allows insecure access to a registry.", "type": "boolean" }, "providers": { "description": "Providers specifies a list of OCI Registry names, whose authentication providers are provided.\nIt can be of one of these values: default,google,azure,amazon,github.", "items": { "description": "CredentialsProvidersType provides the list of credential providers required.", "enum": [ "default", "amazon", "azure", "google", "github" ], "type": "string" }, "type": "array" }, "secrets": { "description": "Secrets specifies a list of secrets that are provided for credentials.\nSecrets must live in the Kyverno namespace.", "items": { "type": "string" }, "type": "array" } }, "type": "object", "additionalProperties": false }, "evaluation": { "description": "EvaluationConfiguration defines the configuration for the policy evaluation.", "properties": { "admission": { "description": "Admission controls policy evaluation during admission.", "properties": { "enabled": { "default": true, "description": "Enabled controls if rules are applied during admission.\nOptional. Default value is \"true\".", "type": "boolean" } }, "type": "object", "additionalProperties": false }, "background": { "description": "Background controls policy evaluation during background scan.", "properties": { "enabled": { "default": true, "description": "Enabled controls if rules are applied to existing resources during a background scan.\nOptional. Default value is \"true\". The value must be set to \"false\" if the policy rule\nuses variables that are only available in the admission review request (e.g. user name).", "type": "boolean" } }, "type": "object", "additionalProperties": false }, "mode": { "description": "Mode is the mode of policy evaluation.\nAllowed values are \"Kubernetes\" or \"JSON\".\nOptional. Default value is \"Kubernetes\".", "type": "string" } }, "type": "object", "additionalProperties": false }, "failurePolicy": { "description": "FailurePolicy defines how to handle failures for the admission policy. Failures can\noccur from CEL expression parse errors, type check errors, runtime errors and invalid\nor mis-configured policy definitions or bindings.", "enum": [ "Ignore", "Fail" ], "type": "string" }, "images": { "description": "ImageExtractors is a list of CEL expression to extract images from the resource", "items": { "properties": { "expression": { "description": "Expression defines CEL expression to extract images from the resource.", "type": "string" }, "name": { "description": "Name is the name for this imageList. It is used to refer to the images in verification block as images.", "type": "string" } }, "required": [ "expression", "name" ], "type": "object", "additionalProperties": false }, "type": "array" }, "matchConditions": { "description": "MatchConditions is a list of conditions that must be met for a request to be validated.\nMatch conditions filter requests that have already been matched by the rules,\nnamespaceSelector, and objectSelector. An empty list of matchConditions matches all requests.\nThere are a maximum of 64 match conditions allowed.", "items": { "description": "MatchCondition represents a condition which must by fulfilled for a request to be sent to a webhook.", "properties": { "expression": { "description": "Expression represents the expression which will be evaluated by CEL. Must evaluate to bool.\nCEL expressions have access to the contents of the AdmissionRequest and Authorizer, organized into CEL variables:\n\n'object' - The object from the incoming request. The value is null for DELETE requests.\n'oldObject' - The existing object. The value is null for CREATE requests.\n'request' - Attributes of the admission request(/pkg/apis/admission/types.go#AdmissionRequest).\n'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n request resource.\nDocumentation on CEL: https://kubernetes.io/docs/reference/using-api/cel/\n\nRequired.", "type": "string" }, "name": { "description": "Name is an identifier for this match condition, used for strategic merging of MatchConditions,\nas well as providing an identifier for logging purposes. A good name should be descriptive of\nthe associated expression.\nName must be a qualified name consisting of alphanumeric characters, '-', '_' or '.', and\nmust start and end with an alphanumeric character (e.g. 'MyName', or 'my.name', or\n'123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]') with an\noptional DNS subdomain prefix and '/' (e.g. 'example.com/MyName')\n\nRequired.", "type": "string" } }, "required": [ "expression", "name" ], "type": "object", "additionalProperties": false }, "type": "array" }, "matchConstraints": { "description": "MatchConstraints specifies what resources this policy is designed to validate.", "properties": { "excludeResourceRules": { "description": "ExcludeResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy should not care about.\nThe exclude rules take precedence over include rules (if a resource matches both, it is excluded)", "items": { "description": "NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.", "properties": { "apiGroups": { "description": "APIGroups is the API groups the resources belong to. '*' is all groups.\nIf '*' is present, the length of the slice must be one.\nRequired.", "items": { "type": "string" }, "type": "array", "x-kubernetes-list-type": "atomic" }, "apiVersions": { "description": "APIVersions is the API versions the resources belong to. '*' is all versions.\nIf '*' is present, the length of the slice must be one.\nRequired.", "items": { "type": "string" }, "type": "array", "x-kubernetes-list-type": "atomic" }, "operations": { "description": "Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or *\nfor all of those operations and any future admission operations that are added.\nIf '*' is present, the length of the slice must be one.\nRequired.", "items": { "description": "OperationType specifies an operation for a request.", "type": "string" }, "type": "array", "x-kubernetes-list-type": "atomic" }, "resourceNames": { "description": "ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed.", "items": { "type": "string" }, "type": "array", "x-kubernetes-list-type": "atomic" }, "resources": { "description": "Resources is a list of resources this rule applies to.\n\nFor example:\n'pods' means pods.\n'pods/log' means the log subresource of pods.\n'*' means all resources, but not subresources.\n'pods/*' means all subresources of pods.\n'*/scale' means all scale subresources.\n'*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not\noverlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed.\nRequired.", "items": { "type": "string" }, "type": "array", "x-kubernetes-list-type": "atomic" }, "scope": { "description": "scope specifies the scope of this rule.\nValid values are \"Cluster\", \"Namespaced\", and \"*\"\n\"Cluster\" means that only cluster-scoped resources will match this rule.\nNamespace API objects are cluster-scoped.\n\"Namespaced\" means that only namespaced resources will match this rule.\n\"*\" means that there are no scope restrictions.\nSubresources match the scope of their parent resource.\nDefault is \"*\".", "type": "string" } }, "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false }, "type": "array", "x-kubernetes-list-type": "atomic" }, "matchPolicy": { "description": "matchPolicy defines how the \"MatchResources\" list is used to match incoming requests.\nAllowed values are \"Exact\" or \"Equivalent\".\n\n- Exact: match a request only if it exactly matches a specified rule.\nFor example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,\nbut \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`,\na request to apps/v1beta1 or extensions/v1beta1 would not be sent to the ValidatingAdmissionPolicy.\n\n- Equivalent: match a request if modifies a resource listed in rules, even via another API group or version.\nFor example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,\nand \"rules\" only included `apiGroups:[\"apps\"], apiVersions:[\"v1\"], resources: [\"deployments\"]`,\na request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the ValidatingAdmissionPolicy.\n\nDefaults to \"Equivalent\"", "type": "string" }, "namespaceSelector": { "description": "NamespaceSelector decides whether to run the admission control policy on an object based\non whether the namespace for that object matches the selector. If the\nobject itself is a namespace, the matching is performed on\nobject.metadata.labels. If the object is another cluster scoped resource,\nit never skips the policy.\n\nFor example, to run the webhook on any objects whose namespace is not\nassociated with \"runlevel\" of \"0\" or \"1\"; you will set the selector as\nfollows:\n\"namespaceSelector\": {\n \"matchExpressions\": [\n {\n \"key\": \"runlevel\",\n \"operator\": \"NotIn\",\n \"values\": [\n \"0\",\n \"1\"\n ]\n }\n ]\n}\n\nIf instead you want to only run the policy on any objects whose\nnamespace is associated with the \"environment\" of \"prod\" or \"staging\";\nyou will set the selector as follows:\n\"namespaceSelector\": {\n \"matchExpressions\": [\n {\n \"key\": \"environment\",\n \"operator\": \"In\",\n \"values\": [\n \"prod\",\n \"staging\"\n ]\n }\n ]\n}\n\nSee\nhttps://kubernetes.io/docs/concepts/overview/working-with-objects/labels/\nfor more examples of label selectors.\n\nDefault to the empty LabelSelector, which matches everything.", "properties": { "matchExpressions": { "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", "items": { "description": "A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.", "properties": { "key": { "description": "key is the label key that the selector applies to.", "type": "string" }, "operator": { "description": "operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.", "type": "string" }, "values": { "description": "values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.", "items": { "type": "string" }, "type": "array", "x-kubernetes-list-type": "atomic" } }, "required": [ "key", "operator" ], "type": "object", "additionalProperties": false }, "type": "array", "x-kubernetes-list-type": "atomic" }, "matchLabels": { "additionalProperties": { "type": "string" }, "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", "type": "object" } }, "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false }, "objectSelector": { "description": "ObjectSelector decides whether to run the validation based on if the\nobject has matching labels. objectSelector is evaluated against both\nthe oldObject and newObject that would be sent to the cel validation, and\nis considered to match if either object matches the selector. A null\nobject (oldObject in the case of create, or newObject in the case of\ndelete) or an object that cannot have labels (like a\nDeploymentRollback or a PodProxyOptions object) is not considered to\nmatch.\nUse the object selector only if the webhook is opt-in, because end\nusers may skip the admission webhook by setting the labels.\nDefault to the empty LabelSelector, which matches everything.", "properties": { "matchExpressions": { "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", "items": { "description": "A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.", "properties": { "key": { "description": "key is the label key that the selector applies to.", "type": "string" }, "operator": { "description": "operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.", "type": "string" }, "values": { "description": "values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.", "items": { "type": "string" }, "type": "array", "x-kubernetes-list-type": "atomic" } }, "required": [ "key", "operator" ], "type": "object", "additionalProperties": false }, "type": "array", "x-kubernetes-list-type": "atomic" }, "matchLabels": { "additionalProperties": { "type": "string" }, "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", "type": "object" } }, "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false }, "resourceRules": { "description": "ResourceRules describes what operations on what resources/subresources the ValidatingAdmissionPolicy matches.\nThe policy cares about an operation if it matches _any_ Rule.", "items": { "description": "NamedRuleWithOperations is a tuple of Operations and Resources with ResourceNames.", "properties": { "apiGroups": { "description": "APIGroups is the API groups the resources belong to. '*' is all groups.\nIf '*' is present, the length of the slice must be one.\nRequired.", "items": { "type": "string" }, "type": "array", "x-kubernetes-list-type": "atomic" }, "apiVersions": { "description": "APIVersions is the API versions the resources belong to. '*' is all versions.\nIf '*' is present, the length of the slice must be one.\nRequired.", "items": { "type": "string" }, "type": "array", "x-kubernetes-list-type": "atomic" }, "operations": { "description": "Operations is the operations the admission hook cares about - CREATE, UPDATE, DELETE, CONNECT or *\nfor all of those operations and any future admission operations that are added.\nIf '*' is present, the length of the slice must be one.\nRequired.", "items": { "description": "OperationType specifies an operation for a request.", "type": "string" }, "type": "array", "x-kubernetes-list-type": "atomic" }, "resourceNames": { "description": "ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed.", "items": { "type": "string" }, "type": "array", "x-kubernetes-list-type": "atomic" }, "resources": { "description": "Resources is a list of resources this rule applies to.\n\nFor example:\n'pods' means pods.\n'pods/log' means the log subresource of pods.\n'*' means all resources, but not subresources.\n'pods/*' means all subresources of pods.\n'*/scale' means all scale subresources.\n'*/*' means all resources and their subresources.\n\nIf wildcard is present, the validation rule will ensure resources do not\noverlap with each other.\n\nDepending on the enclosing object, subresources might not be allowed.\nRequired.", "items": { "type": "string" }, "type": "array", "x-kubernetes-list-type": "atomic" }, "scope": { "description": "scope specifies the scope of this rule.\nValid values are \"Cluster\", \"Namespaced\", and \"*\"\n\"Cluster\" means that only cluster-scoped resources will match this rule.\nNamespace API objects are cluster-scoped.\n\"Namespaced\" means that only namespaced resources will match this rule.\n\"*\" means that there are no scope restrictions.\nSubresources match the scope of their parent resource.\nDefault is \"*\".", "type": "string" } }, "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false }, "type": "array", "x-kubernetes-list-type": "atomic" } }, "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false }, "matchImageReferences": { "description": "MatchImageReferences is a list of Glob and CELExpressions to match images.\nAny image that matches one of the rules is considered for validation\nAny image that does not match a rule is skipped, even when they are passed as arguments to\nimage verification functions", "items": { "description": "MatchImageReference defines a Glob or a CEL expression for matching images", "oneOf": [ { "required": [ "glob" ] }, { "required": [ "expression" ] } ], "properties": { "expression": { "description": "Expression defines CEL Expressions for matching images", "type": "string" }, "glob": { "description": "Glob defines a globbing pattern for matching images", "type": "string" } }, "type": "object", "additionalProperties": false }, "type": "array" }, "validationActions": { "description": "ValidationAction specifies the action to be taken when the matched resource violates the policy.\nIf a validation evaluates to false it is always enforced according to these actions.\n\nFailures defined by the ValidatingAdmissionPolicy's FailurePolicy are enforced according\nto these actions only if the FailurePolicy is set to Fail, otherwise the failures are\nignored. This includes compilation errors, runtime errors and misconfigurations of the policy.\n\nvalidationActions is declared as a set of action values. Order does\nnot matter. validationActions may not contain duplicates of the same action.\n\nThe supported actions values are:\n\n\"Deny\" specifies that a validation failure results in a denied request.\n\n\"Warn\" specifies that a validation failure is reported to the request client\nin HTTP Warning headers, with a warning code of 299. Warnings can be sent\nboth for allowed or denied admission responses.\n\n\"Audit\" specifies that a validation failure is recorded in the created reports.\n\nClients should expect to handle additional values by ignoring\nany values not recognized.\n\n\"Deny\" and \"Warn\" may not be used together since this combination\nneedlessly duplicates the validation failure both in the\nAPI response body and the HTTP warning headers.\n\nRequired.", "items": { "description": "ValidationAction specifies a policy enforcement action.", "enum": [ "Deny", "Audit", "Warn" ], "type": "string" }, "type": "array", "x-kubernetes-list-type": "set" }, "validationConfigurations": { "default": {}, "description": "ValidationConfigurations defines settings for mutating and verifying image digests, and enforcing image verification through signatures.", "properties": { "mutateDigest": { "default": true, "description": "MutateDigest enables replacement of image tags with digests.\nDefaults to true.", "type": "boolean" }, "required": { "default": true, "description": "Required validates that images are verified, i.e., have passed a signature or attestation check.", "type": "boolean" }, "verifyDigest": { "default": true, "description": "VerifyDigest validates that images have a digest.", "type": "boolean" } }, "type": "object", "additionalProperties": false }, "validations": { "description": "Validations contain CEL expressions which is used to apply the image validation checks.", "items": { "description": "Validation specifies the CEL expression which is used to apply the validation.", "properties": { "expression": { "description": "Expression represents the expression which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nCEL expressions have access to the contents of the API request/response, organized into CEL variables as well as some other useful variables:\n\n- 'object' - The object from the incoming request. The value is null for DELETE requests.\n- 'oldObject' - The existing object. The value is null for CREATE requests.\n- 'request' - Attributes of the API request([ref](/pkg/apis/admission/types.go#AdmissionRequest)).\n- 'params' - Parameter resource referred to by the policy binding being evaluated. Only populated if the policy has a ParamKind.\n- 'namespaceObject' - The namespace object that the incoming object belongs to. The value is null for cluster-scoped resources.\n- 'variables' - Map of composited variables, from its name to its lazily evaluated value.\n For example, a variable named 'foo' can be accessed as 'variables.foo'.\n- 'authorizer' - A CEL Authorizer. May be used to perform authorization checks for the principal (user or service account) of the request.\n See https://pkg.go.dev/k8s.io/apiserver/pkg/cel/library#Authz\n- 'authorizer.requestResource' - A CEL ResourceCheck constructed from the 'authorizer' and configured with the\n request resource.\n\nThe `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the\nobject. No other metadata properties are accessible.\n\nOnly property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible.\nAccessible property names are escaped according to the following rules when accessed in the expression:\n- '__' escapes to '__underscores__'\n- '.' escapes to '__dot__'\n- '-' escapes to '__dash__'\n- '/' escapes to '__slash__'\n- Property names that exactly match a CEL RESERVED keyword escape to '__{keyword}__'. The keywords are:\n\t \"true\", \"false\", \"null\", \"in\", \"as\", \"break\", \"const\", \"continue\", \"else\", \"for\", \"function\", \"if\",\n\t \"import\", \"let\", \"loop\", \"package\", \"namespace\", \"return\".\nExamples:\n - Expression accessing a property named \"namespace\": {\"Expression\": \"object.__namespace__ > 0\"}\n - Expression accessing a property named \"x-prop\": {\"Expression\": \"object.x__dash__prop > 0\"}\n - Expression accessing a property named \"redact__d\": {\"Expression\": \"object.redact__underscores__d > 0\"}\n\nEquality on arrays with list type of 'set' or 'map' ignores element order, i.e. [1, 2] == [2, 1].\nConcatenation on arrays with x-kubernetes-list-type use the semantics of the list type:\n - 'set': `X + Y` performs a union where the array positions of all elements in `X` are preserved and\n non-intersecting elements in `Y` are appended, retaining their partial order.\n - 'map': `X + Y` performs a merge where the array positions of all keys in `X` are preserved but the values\n are overwritten by values in `Y` when the key sets of `X` and `Y` intersect. Elements in `Y` with\n non-intersecting keys are appended, retaining their partial order.\nRequired.", "type": "string" }, "message": { "description": "Message represents the message displayed when validation fails. The message is required if the Expression contains\nline breaks. The message must not contain line breaks.\nIf unset, the message is \"failed rule: {Rule}\".\ne.g. \"must be a URL with the host matching spec.host\"\nIf the Expression contains line breaks. Message is required.\nThe message must not contain line breaks.\nIf unset, the message is \"failed Expression: {Expression}\".", "type": "string" }, "messageExpression": { "description": "messageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails.\nSince messageExpression is used as a failure message, it must evaluate to a string.\nIf both message and messageExpression are present on a validation, then messageExpression will be used if validation fails.\nIf messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced\nas if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string\nthat contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and\nthe fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged.\nmessageExpression has access to all the same variables as the `expression` except for 'authorizer' and 'authorizer.requestResource'.\nExample:\n\"object.x must be less than max (\"+string(params.max)+\")\"", "type": "string" }, "reason": { "description": "Reason represents a machine-readable description of why this validation failed.\nIf this is the first validation in the list to fail, this reason, as well as the\ncorresponding HTTP response code, are used in the\nHTTP response to the client.\nThe currently supported reasons are: \"Unauthorized\", \"Forbidden\", \"Invalid\", \"RequestEntityTooLarge\".\nIf not set, StatusReasonInvalid is used in the response to the client.", "type": "string" } }, "required": [ "expression" ], "type": "object", "additionalProperties": false }, "type": "array", "x-kubernetes-list-type": "atomic" }, "variables": { "description": "Variables contain definitions of variables that can be used in composition of other expressions.\nEach variable is defined as a named CEL expression.", "items": { "description": "Variable is the definition of a variable that is used for composition. A variable is defined as a named expression.", "properties": { "expression": { "description": "Expression is the expression that will be evaluated as the value of the variable.\nThe CEL expression has access to the same identifiers as the CEL expressions in Validation.", "type": "string" }, "name": { "description": "Name is the name of the variable. The name must be a valid CEL identifier and unique among all variables.\nThe variable can be accessed in other expressions through `variables`\nFor example, if name is \"foo\", the variable will be available as `variables.foo`", "type": "string" } }, "required": [ "expression", "name" ], "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false }, "type": "array" }, "webhookConfiguration": { "description": "WebhookConfiguration defines the configuration for the webhook.", "properties": { "timeoutSeconds": { "description": "TimeoutSeconds specifies the maximum time in seconds allowed to apply this policy.\nAfter the configured time expires, the admission request may fail, or may simply ignore the policy results,\nbased on the failure policy. The default timeout is 10s, the value must be between 1 and 30 seconds.", "format": "int32", "type": "integer" } }, "type": "object", "additionalProperties": false } }, "required": [ "attestors", "validations" ], "type": "object", "additionalProperties": false }, "targets": { "items": { "properties": { "group": { "type": "string" }, "kind": { "type": "string" }, "resource": { "type": "string" }, "version": { "type": "string" } }, "required": [ "kind", "resource", "version" ], "type": "object", "additionalProperties": false }, "type": "array" } }, "required": [ "spec", "targets" ], "type": "object", "additionalProperties": false }, "type": "object" } }, "type": "object", "additionalProperties": false }, "conditionStatus": { "description": "ConditionStatus is the shared status across all policy types", "properties": { "conditions": { "items": { "description": "Condition contains details for one aspect of the current state of this API Resource.", "properties": { "lastTransitionTime": { "description": "lastTransitionTime is the last time the condition transitioned from one status to another.\nThis should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.", "format": "date-time", "type": "string" }, "message": { "description": "message is a human readable message indicating details about the transition.\nThis may be an empty string.", "maxLength": 32768, "type": "string" }, "observedGeneration": { "description": "observedGeneration represents the .metadata.generation that the condition was set based upon.\nFor instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date\nwith respect to the current state of the instance.", "format": "int64", "minimum": 0, "type": "integer" }, "reason": { "description": "reason contains a programmatic identifier indicating the reason for the condition's last transition.\nProducers of specific condition types may define expected values and meanings for this field,\nand whether the values are considered a guaranteed API.\nThe value should be a CamelCase string.\nThis field may not be empty.", "maxLength": 1024, "minLength": 1, "pattern": "^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$", "type": "string" }, "status": { "description": "status of the condition, one of True, False, Unknown.", "enum": [ "True", "False", "Unknown" ], "type": "string" }, "type": { "description": "type of condition in CamelCase or in foo.example.com/CamelCase.", "maxLength": 316, "pattern": "^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$", "type": "string" } }, "required": [ "lastTransitionTime", "message", "reason", "status", "type" ], "type": "object", "additionalProperties": false }, "type": "array" }, "message": { "description": "Message is a human readable message indicating details about the generation of ValidatingAdmissionPolicy/MutatingAdmissionPolicy\nIt is an empty string when ValidatingAdmissionPolicy/MutatingAdmissionPolicy is successfully generated.", "type": "string" }, "ready": { "description": "The ready of a policy is a high-level summary of where the policy is in its lifecycle.\nThe conditions array, the reason and message fields contain more detail about the policy's status.", "type": "boolean" } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false } }, "required": [ "spec" ], "type": "object" }