forge/clusterforge
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
19faf12efc
clusterforge/kyverno/CustomResourceDefinition_policies.kyverno.io.yaml
ClusterForge 033556c928 Cast commit
2025-10-06 09:34:03 +00:00

10573 lines
551 KiB
YAML
Raw Blame History

---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.17.3
labels:
app.kubernetes.io/component: crds
app.kubernetes.io/instance: kyverno
app.kubernetes.io/part-of: kyverno-crds
app.kubernetes.io/version: 3.4.1
name: policies.kyverno.io
spec:
group: kyverno.io
names:
categories:
- kyverno
kind: Policy
listKind: PolicyList
plural: policies
shortNames:
- pol
singular: policy
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .spec.admission
name: ADMISSION
type: boolean
- jsonPath: .spec.background
name: BACKGROUND
type: boolean
- jsonPath: .status.conditions[?(@.type == "Ready")].status
name: READY
type: string
- jsonPath: .metadata.creationTimestamp
name: AGE
type: date
- jsonPath: .spec.failurePolicy
name: FAILURE POLICY
priority: 1
type: string
- jsonPath: .status.rulecount.validate
name: VALIDATE
priority: 1
type: integer
- jsonPath: .status.rulecount.mutate
name: MUTATE
priority: 1
type: integer
- jsonPath: .status.rulecount.generate
name: GENERATE
priority: 1
type: integer
- jsonPath: .status.rulecount.verifyimages
name: VERIFY IMAGES
priority: 1
type: integer
- jsonPath: .status.conditions[?(@.type == "Ready")].message
name: MESSAGE
type: string
name: v1
schema:
openAPIV3Schema:
properties:
apiVersion:
type: string
kind:
type: string
metadata:
type: object
spec:
properties:
admission:
default: true
type: boolean
applyRules:
enum:
- All
- One
type: string
background:
default: true
type: boolean
emitWarning:
default: false
type: boolean
failurePolicy:
enum:
- Ignore
- Fail
type: string
generateExisting:
type: boolean
generateExistingOnPolicyUpdate:
type: boolean
mutateExistingOnPolicyUpdate:
type: boolean
rules:
items:
properties:
celPreconditions:
items:
properties:
expression:
type: string
name:
type: string
required:
- expression
- name
type: object
type: array
context:
items:
oneOf:
- required:
- configMap
- required:
- apiCall
- required:
- imageRegistry
- required:
- variable
- required:
- globalReference
properties:
apiCall:
properties:
data:
items:
properties:
key:
type: string
value:
x-kubernetes-preserve-unknown-fields: true
required:
- key
- value
type: object
type: array
default:
x-kubernetes-preserve-unknown-fields: true
jmesPath:
type: string
method:
default: GET
enum:
- GET
- POST
type: string
service:
properties:
caBundle:
type: string
headers:
items:
properties:
key:
type: string
value:
type: string
required:
- key
- value
type: object
type: array
url:
type: string
required:
- url
type: object
urlPath:
type: string
type: object
configMap:
properties:
name:
type: string
namespace:
type: string
required:
- name
type: object
globalReference:
properties:
jmesPath:
type: string
name:
type: string
required:
- name
type: object
imageRegistry:
properties:
imageRegistryCredentials:
properties:
allowInsecureRegistry:
type: boolean
providers:
items:
enum:
- default
- amazon
- azure
- google
- github
type: string
type: array
secrets:
items:
type: string
type: array
type: object
jmesPath:
type: string
reference:
type: string
required:
- reference
type: object
name:
type: string
variable:
properties:
default:
x-kubernetes-preserve-unknown-fields: true
jmesPath:
type: string
value:
x-kubernetes-preserve-unknown-fields: true
type: object
required:
- name
type: object
type: array
exclude:
not:
required:
- any
- all
properties:
all:
items:
properties:
clusterRoles:
items:
type: string
type: array
resources:
not:
required:
- name
- names
properties:
annotations:
additionalProperties:
type: string
type: object
kinds:
items:
type: string
type: array
name:
type: string
names:
items:
type: string
type: array
namespaceSelector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
operations:
items:
enum:
- CREATE
- CONNECT
- UPDATE
- DELETE
type: string
type: array
selector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
type: object
type: object
x-kubernetes-map-type: atomic
type: object
roles:
items:
type: string
type: array
subjects:
items:
properties:
apiGroup:
type: string
kind:
type: string
name:
type: string
namespace:
type: string
required:
- kind
- name
type: object
x-kubernetes-map-type: atomic
type: array
type: object
type: array
any:
items:
properties:
clusterRoles:
items:
type: string
type: array
resources:
not:
required:
- name
- names
properties:
annotations:
additionalProperties:
type: string
type: object
kinds:
items:
type: string
type: array
name:
type: string
names:
items:
type: string
type: array
namespaceSelector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
operations:
items:
enum:
- CREATE
- CONNECT
- UPDATE
- DELETE
type: string
type: array
selector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
type: object
type: object
x-kubernetes-map-type: atomic
type: object
roles:
items:
type: string
type: array
subjects:
items:
properties:
apiGroup:
type: string
kind:
type: string
name:
type: string
namespace:
type: string
required:
- kind
- name
type: object
x-kubernetes-map-type: atomic
type: array
type: object
type: array
clusterRoles:
items:
type: string
type: array
resources:
not:
required:
- name
- names
properties:
annotations:
additionalProperties:
type: string
type: object
kinds:
items:
type: string
type: array
name:
type: string
names:
items:
type: string
type: array
namespaceSelector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
operations:
items:
enum:
- CREATE
- CONNECT
- UPDATE
- DELETE
type: string
type: array
selector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
type: object
type: object
x-kubernetes-map-type: atomic
type: object
roles:
items:
type: string
type: array
subjects:
items:
properties:
apiGroup:
type: string
kind:
type: string
name:
type: string
namespace:
type: string
required:
- kind
- name
type: object
x-kubernetes-map-type: atomic
type: array
type: object
generate:
properties:
apiVersion:
type: string
clone:
properties:
name:
type: string
namespace:
type: string
type: object
cloneList:
properties:
kinds:
items:
type: string
type: array
namespace:
type: string
selector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
type: object
type: object
x-kubernetes-map-type: atomic
type: object
data:
x-kubernetes-preserve-unknown-fields: true
foreach:
items:
properties:
apiVersion:
type: string
clone:
properties:
name:
type: string
namespace:
type: string
type: object
cloneList:
properties:
kinds:
items:
type: string
type: array
namespace:
type: string
selector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
type: object
type: object
x-kubernetes-map-type: atomic
type: object
context:
items:
oneOf:
- required:
- configMap
- required:
- apiCall
- required:
- imageRegistry
- required:
- variable
- required:
- globalReference
properties:
apiCall:
properties:
data:
items:
properties:
key:
type: string
value:
x-kubernetes-preserve-unknown-fields: true
required:
- key
- value
type: object
type: array
default:
x-kubernetes-preserve-unknown-fields: true
jmesPath:
type: string
method:
default: GET
enum:
- GET
- POST
type: string
service:
properties:
caBundle:
type: string
headers:
items:
properties:
key:
type: string
value:
type: string
required:
- key
- value
type: object
type: array
url:
type: string
required:
- url
type: object
urlPath:
type: string
type: object
configMap:
properties:
name:
type: string
namespace:
type: string
required:
- name
type: object
globalReference:
properties:
jmesPath:
type: string
name:
type: string
required:
- name
type: object
imageRegistry:
properties:
imageRegistryCredentials:
properties:
allowInsecureRegistry:
type: boolean
providers:
items:
enum:
- default
- amazon
- azure
- google
- github
type: string
type: array
secrets:
items:
type: string
type: array
type: object
jmesPath:
type: string
reference:
type: string
required:
- reference
type: object
name:
type: string
variable:
properties:
default:
x-kubernetes-preserve-unknown-fields: true
jmesPath:
type: string
value:
x-kubernetes-preserve-unknown-fields: true
type: object
required:
- name
type: object
type: array
data:
x-kubernetes-preserve-unknown-fields: true
kind:
type: string
list:
type: string
name:
type: string
namespace:
type: string
preconditions:
properties:
all:
items:
properties:
key:
x-kubernetes-preserve-unknown-fields: true
message:
type: string
operator:
enum:
- Equals
- NotEquals
- In
- AnyIn
- AllIn
- NotIn
- AnyNotIn
- AllNotIn
- GreaterThanOrEquals
- GreaterThan
- LessThanOrEquals
- LessThan
- DurationGreaterThanOrEquals
- DurationGreaterThan
- DurationLessThanOrEquals
- DurationLessThan
type: string
value:
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
any:
items:
properties:
key:
x-kubernetes-preserve-unknown-fields: true
message:
type: string
operator:
enum:
- Equals
- NotEquals
- In
- AnyIn
- AllIn
- NotIn
- AnyNotIn
- AllNotIn
- GreaterThanOrEquals
- GreaterThan
- LessThanOrEquals
- LessThan
- DurationGreaterThanOrEquals
- DurationGreaterThan
- DurationLessThanOrEquals
- DurationLessThan
type: string
value:
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
type: object
x-kubernetes-preserve-unknown-fields: true
uid:
type: string
type: object
type: array
generateExisting:
type: boolean
kind:
type: string
name:
type: string
namespace:
type: string
orphanDownstreamOnPolicyDelete:
type: boolean
synchronize:
type: boolean
uid:
type: string
type: object
imageExtractors:
additionalProperties:
items:
properties:
jmesPath:
type: string
key:
type: string
name:
type: string
path:
type: string
value:
type: string
required:
- path
type: object
type: array
type: object
match:
not:
required:
- any
- all
properties:
all:
items:
properties:
clusterRoles:
items:
type: string
type: array
resources:
not:
required:
- name
- names
properties:
annotations:
additionalProperties:
type: string
type: object
kinds:
items:
type: string
type: array
name:
type: string
names:
items:
type: string
type: array
namespaceSelector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
operations:
items:
enum:
- CREATE
- CONNECT
- UPDATE
- DELETE
type: string
type: array
selector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
type: object
type: object
x-kubernetes-map-type: atomic
type: object
roles:
items:
type: string
type: array
subjects:
items:
properties:
apiGroup:
type: string
kind:
type: string
name:
type: string
namespace:
type: string
required:
- kind
- name
type: object
x-kubernetes-map-type: atomic
type: array
type: object
type: array
any:
items:
properties:
clusterRoles:
items:
type: string
type: array
resources:
not:
required:
- name
- names
properties:
annotations:
additionalProperties:
type: string
type: object
kinds:
items:
type: string
type: array
name:
type: string
names:
items:
type: string
type: array
namespaceSelector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
operations:
items:
enum:
- CREATE
- CONNECT
- UPDATE
- DELETE
type: string
type: array
selector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
type: object
type: object
x-kubernetes-map-type: atomic
type: object
roles:
items:
type: string
type: array
subjects:
items:
properties:
apiGroup:
type: string
kind:
type: string
name:
type: string
namespace:
type: string
required:
- kind
- name
type: object
x-kubernetes-map-type: atomic
type: array
type: object
type: array
clusterRoles:
items:
type: string
type: array
resources:
not:
required:
- name
- names
properties:
annotations:
additionalProperties:
type: string
type: object
kinds:
items:
type: string
type: array
name:
type: string
names:
items:
type: string
type: array
namespaceSelector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
operations:
items:
enum:
- CREATE
- CONNECT
- UPDATE
- DELETE
type: string
type: array
selector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
type: object
type: object
x-kubernetes-map-type: atomic
type: object
roles:
items:
type: string
type: array
subjects:
items:
properties:
apiGroup:
type: string
kind:
type: string
name:
type: string
namespace:
type: string
required:
- kind
- name
type: object
x-kubernetes-map-type: atomic
type: array
type: object
mutate:
properties:
foreach:
items:
properties:
context:
items:
oneOf:
- required:
- configMap
- required:
- apiCall
- required:
- imageRegistry
- required:
- variable
- required:
- globalReference
properties:
apiCall:
properties:
data:
items:
properties:
key:
type: string
value:
x-kubernetes-preserve-unknown-fields: true
required:
- key
- value
type: object
type: array
default:
x-kubernetes-preserve-unknown-fields: true
jmesPath:
type: string
method:
default: GET
enum:
- GET
- POST
type: string
service:
properties:
caBundle:
type: string
headers:
items:
properties:
key:
type: string
value:
type: string
required:
- key
- value
type: object
type: array
url:
type: string
required:
- url
type: object
urlPath:
type: string
type: object
configMap:
properties:
name:
type: string
namespace:
type: string
required:
- name
type: object
globalReference:
properties:
jmesPath:
type: string
name:
type: string
required:
- name
type: object
imageRegistry:
properties:
imageRegistryCredentials:
properties:
allowInsecureRegistry:
type: boolean
providers:
items:
enum:
- default
- amazon
- azure
- google
- github
type: string
type: array
secrets:
items:
type: string
type: array
type: object
jmesPath:
type: string
reference:
type: string
required:
- reference
type: object
name:
type: string
variable:
properties:
default:
x-kubernetes-preserve-unknown-fields: true
jmesPath:
type: string
value:
x-kubernetes-preserve-unknown-fields: true
type: object
required:
- name
type: object
type: array
foreach:
x-kubernetes-preserve-unknown-fields: true
list:
type: string
order:
enum:
- Ascending
- Descending
type: string
patchStrategicMerge:
x-kubernetes-preserve-unknown-fields: true
patchesJson6902:
type: string
preconditions:
properties:
all:
items:
properties:
key:
x-kubernetes-preserve-unknown-fields: true
message:
type: string
operator:
enum:
- Equals
- NotEquals
- In
- AnyIn
- AllIn
- NotIn
- AnyNotIn
- AllNotIn
- GreaterThanOrEquals
- GreaterThan
- LessThanOrEquals
- LessThan
- DurationGreaterThanOrEquals
- DurationGreaterThan
- DurationLessThanOrEquals
- DurationLessThan
type: string
value:
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
any:
items:
properties:
key:
x-kubernetes-preserve-unknown-fields: true
message:
type: string
operator:
enum:
- Equals
- NotEquals
- In
- AnyIn
- AllIn
- NotIn
- AnyNotIn
- AllNotIn
- GreaterThanOrEquals
- GreaterThan
- LessThanOrEquals
- LessThan
- DurationGreaterThanOrEquals
- DurationGreaterThan
- DurationLessThanOrEquals
- DurationLessThan
type: string
value:
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
mutateExistingOnPolicyUpdate:
type: boolean
patchStrategicMerge:
x-kubernetes-preserve-unknown-fields: true
patchesJson6902:
type: string
targets:
items:
properties:
apiVersion:
type: string
context:
items:
oneOf:
- required:
- configMap
- required:
- apiCall
- required:
- imageRegistry
- required:
- variable
- required:
- globalReference
properties:
apiCall:
properties:
data:
items:
properties:
key:
type: string
value:
x-kubernetes-preserve-unknown-fields: true
required:
- key
- value
type: object
type: array
default:
x-kubernetes-preserve-unknown-fields: true
jmesPath:
type: string
method:
default: GET
enum:
- GET
- POST
type: string
service:
properties:
caBundle:
type: string
headers:
items:
properties:
key:
type: string
value:
type: string
required:
- key
- value
type: object
type: array
url:
type: string
required:
- url
type: object
urlPath:
type: string
type: object
configMap:
properties:
name:
type: string
namespace:
type: string
required:
- name
type: object
globalReference:
properties:
jmesPath:
type: string
name:
type: string
required:
- name
type: object
imageRegistry:
properties:
imageRegistryCredentials:
properties:
allowInsecureRegistry:
type: boolean
providers:
items:
enum:
- default
- amazon
- azure
- google
- github
type: string
type: array
secrets:
items:
type: string
type: array
type: object
jmesPath:
type: string
reference:
type: string
required:
- reference
type: object
name:
type: string
variable:
properties:
default:
x-kubernetes-preserve-unknown-fields: true
jmesPath:
type: string
value:
x-kubernetes-preserve-unknown-fields: true
type: object
required:
- name
type: object
type: array
kind:
type: string
name:
type: string
namespace:
type: string
preconditions:
x-kubernetes-preserve-unknown-fields: true
selector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
type: object
type: object
x-kubernetes-map-type: atomic
uid:
type: string
type: object
type: array
type: object
name:
maxLength: 63
type: string
preconditions:
x-kubernetes-preserve-unknown-fields: true
reportProperties:
additionalProperties:
type: string
type: object
skipBackgroundRequests:
default: true
type: boolean
validate:
properties:
allowExistingViolations:
default: true
type: boolean
anyPattern:
x-kubernetes-preserve-unknown-fields: true
assert:
type: object
x-kubernetes-preserve-unknown-fields: true
cel:
properties:
auditAnnotations:
items:
properties:
key:
type: string
valueExpression:
type: string
required:
- key
- valueExpression
type: object
type: array
expressions:
items:
properties:
expression:
type: string
message:
type: string
messageExpression:
type: string
reason:
type: string
required:
- expression
type: object
type: array
generate:
default: false
type: boolean
paramKind:
properties:
apiVersion:
type: string
kind:
type: string
type: object
x-kubernetes-map-type: atomic
paramRef:
properties:
name:
type: string
namespace:
type: string
parameterNotFoundAction:
type: string
selector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
type: object
type: object
x-kubernetes-map-type: atomic
type: object
x-kubernetes-map-type: atomic
variables:
items:
properties:
expression:
type: string
name:
type: string
required:
- expression
- name
type: object
x-kubernetes-map-type: atomic
type: array
type: object
deny:
properties:
conditions:
x-kubernetes-preserve-unknown-fields: true
type: object
failureAction:
enum:
- Audit
- Enforce
type: string
failureActionOverrides:
items:
properties:
action:
enum:
- audit
- enforce
- Audit
- Enforce
type: string
namespaceSelector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
type: object
type: array
foreach:
items:
properties:
anyPattern:
x-kubernetes-preserve-unknown-fields: true
context:
items:
oneOf:
- required:
- configMap
- required:
- apiCall
- required:
- imageRegistry
- required:
- variable
- required:
- globalReference
properties:
apiCall:
properties:
data:
items:
properties:
key:
type: string
value:
x-kubernetes-preserve-unknown-fields: true
required:
- key
- value
type: object
type: array
default:
x-kubernetes-preserve-unknown-fields: true
jmesPath:
type: string
method:
default: GET
enum:
- GET
- POST
type: string
service:
properties:
caBundle:
type: string
headers:
items:
properties:
key:
type: string
value:
type: string
required:
- key
- value
type: object
type: array
url:
type: string
required:
- url
type: object
urlPath:
type: string
type: object
configMap:
properties:
name:
type: string
namespace:
type: string
required:
- name
type: object
globalReference:
properties:
jmesPath:
type: string
name:
type: string
required:
- name
type: object
imageRegistry:
properties:
imageRegistryCredentials:
properties:
allowInsecureRegistry:
type: boolean
providers:
items:
enum:
- default
- amazon
- azure
- google
- github
type: string
type: array
secrets:
items:
type: string
type: array
type: object
jmesPath:
type: string
reference:
type: string
required:
- reference
type: object
name:
type: string
variable:
properties:
default:
x-kubernetes-preserve-unknown-fields: true
jmesPath:
type: string
value:
x-kubernetes-preserve-unknown-fields: true
type: object
required:
- name
type: object
type: array
deny:
properties:
conditions:
x-kubernetes-preserve-unknown-fields: true
type: object
elementScope:
type: boolean
foreach:
x-kubernetes-preserve-unknown-fields: true
list:
type: string
pattern:
x-kubernetes-preserve-unknown-fields: true
preconditions:
properties:
all:
items:
properties:
key:
x-kubernetes-preserve-unknown-fields: true
message:
type: string
operator:
enum:
- Equals
- NotEquals
- In
- AnyIn
- AllIn
- NotIn
- AnyNotIn
- AllNotIn
- GreaterThanOrEquals
- GreaterThan
- LessThanOrEquals
- LessThan
- DurationGreaterThanOrEquals
- DurationGreaterThan
- DurationLessThanOrEquals
- DurationLessThan
type: string
value:
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
any:
items:
properties:
key:
x-kubernetes-preserve-unknown-fields: true
message:
type: string
operator:
enum:
- Equals
- NotEquals
- In
- AnyIn
- AllIn
- NotIn
- AnyNotIn
- AllNotIn
- GreaterThanOrEquals
- GreaterThan
- LessThanOrEquals
- LessThan
- DurationGreaterThanOrEquals
- DurationGreaterThan
- DurationLessThanOrEquals
- DurationLessThan
type: string
value:
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
manifests:
properties:
annotationDomain:
type: string
attestors:
items:
properties:
count:
minimum: 1
type: integer
entries:
items:
properties:
annotations:
additionalProperties:
type: string
type: object
attestor:
x-kubernetes-preserve-unknown-fields: true
certificates:
properties:
cert:
type: string
certChain:
type: string
ctlog:
properties:
ignoreSCT:
type: boolean
pubkey:
type: string
tsaCertChain:
type: string
type: object
rekor:
properties:
ignoreTlog:
type: boolean
pubkey:
type: string
url:
type: string
type: object
type: object
keyless:
properties:
additionalExtensions:
additionalProperties:
type: string
type: object
ctlog:
properties:
ignoreSCT:
type: boolean
pubkey:
type: string
tsaCertChain:
type: string
type: object
issuer:
type: string
issuerRegExp:
type: string
rekor:
properties:
ignoreTlog:
type: boolean
pubkey:
type: string
url:
type: string
type: object
roots:
type: string
subject:
type: string
subjectRegExp:
type: string
type: object
keys:
properties:
ctlog:
properties:
ignoreSCT:
type: boolean
pubkey:
type: string
tsaCertChain:
type: string
type: object
kms:
type: string
publicKeys:
type: string
rekor:
properties:
ignoreTlog:
type: boolean
pubkey:
type: string
url:
type: string
type: object
secret:
properties:
name:
type: string
namespace:
type: string
required:
- name
- namespace
type: object
signatureAlgorithm:
default: sha256
type: string
type: object
repository:
type: string
signatureAlgorithm:
default: sha256
type: string
type: object
type: array
type: object
type: array
dryRun:
properties:
enable:
type: boolean
namespace:
type: string
type: object
ignoreFields:
items:
properties:
fields:
items:
type: string
type: array
objects:
items:
properties:
group:
type: string
kind:
type: string
name:
type: string
namespace:
type: string
version:
type: string
type: object
type: array
type: object
type: array
repository:
type: string
type: object
message:
type: string
pattern:
x-kubernetes-preserve-unknown-fields: true
podSecurity:
properties:
exclude:
items:
properties:
controlName:
enum:
- HostProcess
- Host Namespaces
- Privileged Containers
- Capabilities
- HostPath Volumes
- Host Ports
- AppArmor
- SELinux
- /proc Mount Type
- Seccomp
- Sysctls
- Volume Types
- Privilege Escalation
- Running as Non-root
- Running as Non-root user
type: string
images:
items:
type: string
type: array
restrictedField:
type: string
values:
items:
type: string
type: array
required:
- controlName
type: object
type: array
level:
enum:
- privileged
- baseline
- restricted
type: string
version:
enum:
- v1.19
- v1.20
- v1.21
- v1.22
- v1.23
- v1.24
- v1.25
- v1.26
- v1.27
- v1.28
- v1.29
- latest
type: string
type: object
type: object
verifyImages:
items:
properties:
additionalExtensions:
additionalProperties:
type: string
type: object
annotations:
additionalProperties:
type: string
type: object
attestations:
items:
properties:
attestors:
items:
properties:
count:
minimum: 1
type: integer
entries:
items:
properties:
annotations:
additionalProperties:
type: string
type: object
attestor:
x-kubernetes-preserve-unknown-fields: true
certificates:
properties:
cert:
type: string
certChain:
type: string
ctlog:
properties:
ignoreSCT:
type: boolean
pubkey:
type: string
tsaCertChain:
type: string
type: object
rekor:
properties:
ignoreTlog:
type: boolean
pubkey:
type: string
url:
type: string
type: object
type: object
keyless:
properties:
additionalExtensions:
additionalProperties:
type: string
type: object
ctlog:
properties:
ignoreSCT:
type: boolean
pubkey:
type: string
tsaCertChain:
type: string
type: object
issuer:
type: string
issuerRegExp:
type: string
rekor:
properties:
ignoreTlog:
type: boolean
pubkey:
type: string
url:
type: string
type: object
roots:
type: string
subject:
type: string
subjectRegExp:
type: string
type: object
keys:
properties:
ctlog:
properties:
ignoreSCT:
type: boolean
pubkey:
type: string
tsaCertChain:
type: string
type: object
kms:
type: string
publicKeys:
type: string
rekor:
properties:
ignoreTlog:
type: boolean
pubkey:
type: string
url:
type: string
type: object
secret:
properties:
name:
type: string
namespace:
type: string
required:
- name
- namespace
type: object
signatureAlgorithm:
default: sha256
type: string
type: object
repository:
type: string
signatureAlgorithm:
default: sha256
type: string
type: object
type: array
type: object
type: array
conditions:
items:
properties:
all:
items:
properties:
key:
x-kubernetes-preserve-unknown-fields: true
message:
type: string
operator:
enum:
- Equals
- NotEquals
- In
- AnyIn
- AllIn
- NotIn
- AnyNotIn
- AllNotIn
- GreaterThanOrEquals
- GreaterThan
- LessThanOrEquals
- LessThan
- DurationGreaterThanOrEquals
- DurationGreaterThan
- DurationLessThanOrEquals
- DurationLessThan
type: string
value:
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
any:
items:
properties:
key:
x-kubernetes-preserve-unknown-fields: true
message:
type: string
operator:
enum:
- Equals
- NotEquals
- In
- AnyIn
- AllIn
- NotIn
- AnyNotIn
- AllNotIn
- GreaterThanOrEquals
- GreaterThan
- LessThanOrEquals
- LessThan
- DurationGreaterThanOrEquals
- DurationGreaterThan
- DurationLessThanOrEquals
- DurationLessThan
type: string
value:
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
type: object
type: array
name:
type: string
predicateType:
type: string
type:
type: string
type: object
type: array
attestors:
items:
properties:
count:
minimum: 1
type: integer
entries:
items:
properties:
annotations:
additionalProperties:
type: string
type: object
attestor:
x-kubernetes-preserve-unknown-fields: true
certificates:
properties:
cert:
type: string
certChain:
type: string
ctlog:
properties:
ignoreSCT:
type: boolean
pubkey:
type: string
tsaCertChain:
type: string
type: object
rekor:
properties:
ignoreTlog:
type: boolean
pubkey:
type: string
url:
type: string
type: object
type: object
keyless:
properties:
additionalExtensions:
additionalProperties:
type: string
type: object
ctlog:
properties:
ignoreSCT:
type: boolean
pubkey:
type: string
tsaCertChain:
type: string
type: object
issuer:
type: string
issuerRegExp:
type: string
rekor:
properties:
ignoreTlog:
type: boolean
pubkey:
type: string
url:
type: string
type: object
roots:
type: string
subject:
type: string
subjectRegExp:
type: string
type: object
keys:
properties:
ctlog:
properties:
ignoreSCT:
type: boolean
pubkey:
type: string
tsaCertChain:
type: string
type: object
kms:
type: string
publicKeys:
type: string
rekor:
properties:
ignoreTlog:
type: boolean
pubkey:
type: string
url:
type: string
type: object
secret:
properties:
name:
type: string
namespace:
type: string
required:
- name
- namespace
type: object
signatureAlgorithm:
default: sha256
type: string
type: object
repository:
type: string
signatureAlgorithm:
default: sha256
type: string
type: object
type: array
type: object
type: array
cosignOCI11:
type: boolean
failureAction:
enum:
- Audit
- Enforce
type: string
image:
type: string
imageReferences:
items:
type: string
type: array
imageRegistryCredentials:
properties:
allowInsecureRegistry:
type: boolean
providers:
items:
enum:
- default
- amazon
- azure
- google
- github
type: string
type: array
secrets:
items:
type: string
type: array
type: object
issuer:
type: string
key:
type: string
mutateDigest:
default: true
type: boolean
repository:
type: string
required:
default: true
type: boolean
roots:
type: string
skipImageReferences:
items:
type: string
type: array
subject:
type: string
type:
enum:
- Cosign
- SigstoreBundle
- Notary
type: string
useCache:
default: true
type: boolean
validate:
properties:
deny:
properties:
conditions:
x-kubernetes-preserve-unknown-fields: true
type: object
message:
type: string
type: object
verifyDigest:
default: true
type: boolean
type: object
type: array
required:
- match
- name
type: object
type: array
schemaValidation:
type: boolean
useServerSideApply:
type: boolean
validationFailureAction:
default: Audit
enum:
- audit
- enforce
- Audit
- Enforce
type: string
validationFailureActionOverrides:
items:
properties:
action:
enum:
- audit
- enforce
- Audit
- Enforce
type: string
namespaceSelector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
type: object
type: array
webhookConfiguration:
properties:
failurePolicy:
enum:
- Ignore
- Fail
type: string
matchConditions:
items:
properties:
expression:
type: string
name:
type: string
required:
- expression
- name
type: object
type: array
timeoutSeconds:
format: int32
type: integer
type: object
webhookTimeoutSeconds:
format: int32
type: integer
type: object
status:
properties:
autogen:
properties:
rules:
items:
properties:
celPreconditions:
items:
properties:
expression:
type: string
name:
type: string
required:
- expression
- name
type: object
type: array
context:
items:
oneOf:
- required:
- configMap
- required:
- apiCall
- required:
- imageRegistry
- required:
- variable
- required:
- globalReference
properties:
apiCall:
properties:
data:
items:
properties:
key:
type: string
value:
x-kubernetes-preserve-unknown-fields: true
required:
- key
- value
type: object
type: array
default:
x-kubernetes-preserve-unknown-fields: true
jmesPath:
type: string
method:
default: GET
enum:
- GET
- POST
type: string
service:
properties:
caBundle:
type: string
headers:
items:
properties:
key:
type: string
value:
type: string
required:
- key
- value
type: object
type: array
url:
type: string
required:
- url
type: object
urlPath:
type: string
type: object
configMap:
properties:
name:
type: string
namespace:
type: string
required:
- name
type: object
globalReference:
properties:
jmesPath:
type: string
name:
type: string
required:
- name
type: object
imageRegistry:
properties:
imageRegistryCredentials:
properties:
allowInsecureRegistry:
type: boolean
providers:
items:
enum:
- default
- amazon
- azure
- google
- github
type: string
type: array
secrets:
items:
type: string
type: array
type: object
jmesPath:
type: string
reference:
type: string
required:
- reference
type: object
name:
type: string
variable:
properties:
default:
x-kubernetes-preserve-unknown-fields: true
jmesPath:
type: string
value:
x-kubernetes-preserve-unknown-fields: true
type: object
required:
- name
type: object
type: array
exclude:
not:
required:
- any
- all
properties:
all:
items:
properties:
clusterRoles:
items:
type: string
type: array
resources:
not:
required:
- name
- names
properties:
annotations:
additionalProperties:
type: string
type: object
kinds:
items:
type: string
type: array
name:
type: string
names:
items:
type: string
type: array
namespaceSelector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
operations:
items:
enum:
- CREATE
- CONNECT
- UPDATE
- DELETE
type: string
type: array
selector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
type: object
type: object
x-kubernetes-map-type: atomic
type: object
roles:
items:
type: string
type: array
subjects:
items:
properties:
apiGroup:
type: string
kind:
type: string
name:
type: string
namespace:
type: string
required:
- kind
- name
type: object
x-kubernetes-map-type: atomic
type: array
type: object
type: array
any:
items:
properties:
clusterRoles:
items:
type: string
type: array
resources:
not:
required:
- name
- names
properties:
annotations:
additionalProperties:
type: string
type: object
kinds:
items:
type: string
type: array
name:
type: string
names:
items:
type: string
type: array
namespaceSelector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
operations:
items:
enum:
- CREATE
- CONNECT
- UPDATE
- DELETE
type: string
type: array
selector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
type: object
type: object
x-kubernetes-map-type: atomic
type: object
roles:
items:
type: string
type: array
subjects:
items:
properties:
apiGroup:
type: string
kind:
type: string
name:
type: string
namespace:
type: string
required:
- kind
- name
type: object
x-kubernetes-map-type: atomic
type: array
type: object
type: array
clusterRoles:
items:
type: string
type: array
resources:
not:
required:
- name
- names
properties:
annotations:
additionalProperties:
type: string
type: object
kinds:
items:
type: string
type: array
name:
type: string
names:
items:
type: string
type: array
namespaceSelector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
operations:
items:
enum:
- CREATE
- CONNECT
- UPDATE
- DELETE
type: string
type: array
selector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
type: object
type: object
x-kubernetes-map-type: atomic
type: object
roles:
items:
type: string
type: array
subjects:
items:
properties:
apiGroup:
type: string
kind:
type: string
name:
type: string
namespace:
type: string
required:
- kind
- name
type: object
x-kubernetes-map-type: atomic
type: array
type: object
generate:
properties:
apiVersion:
type: string
clone:
properties:
name:
type: string
namespace:
type: string
type: object
cloneList:
properties:
kinds:
items:
type: string
type: array
namespace:
type: string
selector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
type: object
type: object
x-kubernetes-map-type: atomic
type: object
data:
x-kubernetes-preserve-unknown-fields: true
foreach:
items:
properties:
apiVersion:
type: string
clone:
properties:
name:
type: string
namespace:
type: string
type: object
cloneList:
properties:
kinds:
items:
type: string
type: array
namespace:
type: string
selector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
type: object
type: object
x-kubernetes-map-type: atomic
type: object
context:
items:
oneOf:
- required:
- configMap
- required:
- apiCall
- required:
- imageRegistry
- required:
- variable
- required:
- globalReference
properties:
apiCall:
properties:
data:
items:
properties:
key:
type: string
value:
x-kubernetes-preserve-unknown-fields: true
required:
- key
- value
type: object
type: array
default:
x-kubernetes-preserve-unknown-fields: true
jmesPath:
type: string
method:
default: GET
enum:
- GET
- POST
type: string
service:
properties:
caBundle:
type: string
headers:
items:
properties:
key:
type: string
value:
type: string
required:
- key
- value
type: object
type: array
url:
type: string
required:
- url
type: object
urlPath:
type: string
type: object
configMap:
properties:
name:
type: string
namespace:
type: string
required:
- name
type: object
globalReference:
properties:
jmesPath:
type: string
name:
type: string
required:
- name
type: object
imageRegistry:
properties:
imageRegistryCredentials:
properties:
allowInsecureRegistry:
type: boolean
providers:
items:
enum:
- default
- amazon
- azure
- google
- github
type: string
type: array
secrets:
items:
type: string
type: array
type: object
jmesPath:
type: string
reference:
type: string
required:
- reference
type: object
name:
type: string
variable:
properties:
default:
x-kubernetes-preserve-unknown-fields: true
jmesPath:
type: string
value:
x-kubernetes-preserve-unknown-fields: true
type: object
required:
- name
type: object
type: array
data:
x-kubernetes-preserve-unknown-fields: true
kind:
type: string
list:
type: string
name:
type: string
namespace:
type: string
preconditions:
properties:
all:
items:
properties:
key:
x-kubernetes-preserve-unknown-fields: true
message:
type: string
operator:
enum:
- Equals
- NotEquals
- In
- AnyIn
- AllIn
- NotIn
- AnyNotIn
- AllNotIn
- GreaterThanOrEquals
- GreaterThan
- LessThanOrEquals
- LessThan
- DurationGreaterThanOrEquals
- DurationGreaterThan
- DurationLessThanOrEquals
- DurationLessThan
type: string
value:
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
any:
items:
properties:
key:
x-kubernetes-preserve-unknown-fields: true
message:
type: string
operator:
enum:
- Equals
- NotEquals
- In
- AnyIn
- AllIn
- NotIn
- AnyNotIn
- AllNotIn
- GreaterThanOrEquals
- GreaterThan
- LessThanOrEquals
- LessThan
- DurationGreaterThanOrEquals
- DurationGreaterThan
- DurationLessThanOrEquals
- DurationLessThan
type: string
value:
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
type: object
x-kubernetes-preserve-unknown-fields: true
uid:
type: string
type: object
type: array
generateExisting:
type: boolean
kind:
type: string
name:
type: string
namespace:
type: string
orphanDownstreamOnPolicyDelete:
type: boolean
synchronize:
type: boolean
uid:
type: string
type: object
imageExtractors:
additionalProperties:
items:
properties:
jmesPath:
type: string
key:
type: string
name:
type: string
path:
type: string
value:
type: string
required:
- path
type: object
type: array
type: object
match:
not:
required:
- any
- all
properties:
all:
items:
properties:
clusterRoles:
items:
type: string
type: array
resources:
not:
required:
- name
- names
properties:
annotations:
additionalProperties:
type: string
type: object
kinds:
items:
type: string
type: array
name:
type: string
names:
items:
type: string
type: array
namespaceSelector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
operations:
items:
enum:
- CREATE
- CONNECT
- UPDATE
- DELETE
type: string
type: array
selector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
type: object
type: object
x-kubernetes-map-type: atomic
type: object
roles:
items:
type: string
type: array
subjects:
items:
properties:
apiGroup:
type: string
kind:
type: string
name:
type: string
namespace:
type: string
required:
- kind
- name
type: object
x-kubernetes-map-type: atomic
type: array
type: object
type: array
any:
items:
properties:
clusterRoles:
items:
type: string
type: array
resources:
not:
required:
- name
- names
properties:
annotations:
additionalProperties:
type: string
type: object
kinds:
items:
type: string
type: array
name:
type: string
names:
items:
type: string
type: array
namespaceSelector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
operations:
items:
enum:
- CREATE
- CONNECT
- UPDATE
- DELETE
type: string
type: array
selector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
type: object
type: object
x-kubernetes-map-type: atomic
type: object
roles:
items:
type: string
type: array
subjects:
items:
properties:
apiGroup:
type: string
kind:
type: string
name:
type: string
namespace:
type: string
required:
- kind
- name
type: object
x-kubernetes-map-type: atomic
type: array
type: object
type: array
clusterRoles:
items:
type: string
type: array
resources:
not:
required:
- name
- names
properties:
annotations:
additionalProperties:
type: string
type: object
kinds:
items:
type: string
type: array
name:
type: string
names:
items:
type: string
type: array
namespaceSelector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
operations:
items:
enum:
- CREATE
- CONNECT
- UPDATE
- DELETE
type: string
type: array
selector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
type: object
type: object
x-kubernetes-map-type: atomic
type: object
roles:
items:
type: string
type: array
subjects:
items:
properties:
apiGroup:
type: string
kind:
type: string
name:
type: string
namespace:
type: string
required:
- kind
- name
type: object
x-kubernetes-map-type: atomic
type: array
type: object
mutate:
properties:
foreach:
items:
properties:
context:
items:
oneOf:
- required:
- configMap
- required:
- apiCall
- required:
- imageRegistry
- required:
- variable
- required:
- globalReference
properties:
apiCall:
properties:
data:
items:
properties:
key:
type: string
value:
x-kubernetes-preserve-unknown-fields: true
required:
- key
- value
type: object
type: array
default:
x-kubernetes-preserve-unknown-fields: true
jmesPath:
type: string
method:
default: GET
enum:
- GET
- POST
type: string
service:
properties:
caBundle:
type: string
headers:
items:
properties:
key:
type: string
value:
type: string
required:
- key
- value
type: object
type: array
url:
type: string
required:
- url
type: object
urlPath:
type: string
type: object
configMap:
properties:
name:
type: string
namespace:
type: string
required:
- name
type: object
globalReference:
properties:
jmesPath:
type: string
name:
type: string
required:
- name
type: object
imageRegistry:
properties:
imageRegistryCredentials:
properties:
allowInsecureRegistry:
type: boolean
providers:
items:
enum:
- default
- amazon
- azure
- google
- github
type: string
type: array
secrets:
items:
type: string
type: array
type: object
jmesPath:
type: string
reference:
type: string
required:
- reference
type: object
name:
type: string
variable:
properties:
default:
x-kubernetes-preserve-unknown-fields: true
jmesPath:
type: string
value:
x-kubernetes-preserve-unknown-fields: true
type: object
required:
- name
type: object
type: array
foreach:
x-kubernetes-preserve-unknown-fields: true
list:
type: string
order:
enum:
- Ascending
- Descending
type: string
patchStrategicMerge:
x-kubernetes-preserve-unknown-fields: true
patchesJson6902:
type: string
preconditions:
properties:
all:
items:
properties:
key:
x-kubernetes-preserve-unknown-fields: true
message:
type: string
operator:
enum:
- Equals
- NotEquals
- In
- AnyIn
- AllIn
- NotIn
- AnyNotIn
- AllNotIn
- GreaterThanOrEquals
- GreaterThan
- LessThanOrEquals
- LessThan
- DurationGreaterThanOrEquals
- DurationGreaterThan
- DurationLessThanOrEquals
- DurationLessThan
type: string
value:
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
any:
items:
properties:
key:
x-kubernetes-preserve-unknown-fields: true
message:
type: string
operator:
enum:
- Equals
- NotEquals
- In
- AnyIn
- AllIn
- NotIn
- AnyNotIn
- AllNotIn
- GreaterThanOrEquals
- GreaterThan
- LessThanOrEquals
- LessThan
- DurationGreaterThanOrEquals
- DurationGreaterThan
- DurationLessThanOrEquals
- DurationLessThan
type: string
value:
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
mutateExistingOnPolicyUpdate:
type: boolean
patchStrategicMerge:
x-kubernetes-preserve-unknown-fields: true
patchesJson6902:
type: string
targets:
items:
properties:
apiVersion:
type: string
context:
items:
oneOf:
- required:
- configMap
- required:
- apiCall
- required:
- imageRegistry
- required:
- variable
- required:
- globalReference
properties:
apiCall:
properties:
data:
items:
properties:
key:
type: string
value:
x-kubernetes-preserve-unknown-fields: true
required:
- key
- value
type: object
type: array
default:
x-kubernetes-preserve-unknown-fields: true
jmesPath:
type: string
method:
default: GET
enum:
- GET
- POST
type: string
service:
properties:
caBundle:
type: string
headers:
items:
properties:
key:
type: string
value:
type: string
required:
- key
- value
type: object
type: array
url:
type: string
required:
- url
type: object
urlPath:
type: string
type: object
configMap:
properties:
name:
type: string
namespace:
type: string
required:
- name
type: object
globalReference:
properties:
jmesPath:
type: string
name:
type: string
required:
- name
type: object
imageRegistry:
properties:
imageRegistryCredentials:
properties:
allowInsecureRegistry:
type: boolean
providers:
items:
enum:
- default
- amazon
- azure
- google
- github
type: string
type: array
secrets:
items:
type: string
type: array
type: object
jmesPath:
type: string
reference:
type: string
required:
- reference
type: object
name:
type: string
variable:
properties:
default:
x-kubernetes-preserve-unknown-fields: true
jmesPath:
type: string
value:
x-kubernetes-preserve-unknown-fields: true
type: object
required:
- name
type: object
type: array
kind:
type: string
name:
type: string
namespace:
type: string
preconditions:
x-kubernetes-preserve-unknown-fields: true
selector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
type: object
type: object
x-kubernetes-map-type: atomic
uid:
type: string
type: object
type: array
type: object
name:
maxLength: 63
type: string
preconditions:
x-kubernetes-preserve-unknown-fields: true
reportProperties:
additionalProperties:
type: string
type: object
skipBackgroundRequests:
default: true
type: boolean
validate:
properties:
allowExistingViolations:
default: true
type: boolean
anyPattern:
x-kubernetes-preserve-unknown-fields: true
assert:
type: object
x-kubernetes-preserve-unknown-fields: true
cel:
properties:
auditAnnotations:
items:
properties:
key:
type: string
valueExpression:
type: string
required:
- key
- valueExpression
type: object
type: array
expressions:
items:
properties:
expression:
type: string
message:
type: string
messageExpression:
type: string
reason:
type: string
required:
- expression
type: object
type: array
generate:
default: false
type: boolean
paramKind:
properties:
apiVersion:
type: string
kind:
type: string
type: object
x-kubernetes-map-type: atomic
paramRef:
properties:
name:
type: string
namespace:
type: string
parameterNotFoundAction:
type: string
selector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
type: object
type: object
x-kubernetes-map-type: atomic
type: object
x-kubernetes-map-type: atomic
variables:
items:
properties:
expression:
type: string
name:
type: string
required:
- expression
- name
type: object
x-kubernetes-map-type: atomic
type: array
type: object
deny:
properties:
conditions:
x-kubernetes-preserve-unknown-fields: true
type: object
failureAction:
enum:
- Audit
- Enforce
type: string
failureActionOverrides:
items:
properties:
action:
enum:
- audit
- enforce
- Audit
- Enforce
type: string
namespaceSelector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
type: object
type: array
foreach:
items:
properties:
anyPattern:
x-kubernetes-preserve-unknown-fields: true
context:
items:
oneOf:
- required:
- configMap
- required:
- apiCall
- required:
- imageRegistry
- required:
- variable
- required:
- globalReference
properties:
apiCall:
properties:
data:
items:
properties:
key:
type: string
value:
x-kubernetes-preserve-unknown-fields: true
required:
- key
- value
type: object
type: array
default:
x-kubernetes-preserve-unknown-fields: true
jmesPath:
type: string
method:
default: GET
enum:
- GET
- POST
type: string
service:
properties:
caBundle:
type: string
headers:
items:
properties:
key:
type: string
value:
type: string
required:
- key
- value
type: object
type: array
url:
type: string
required:
- url
type: object
urlPath:
type: string
type: object
configMap:
properties:
name:
type: string
namespace:
type: string
required:
- name
type: object
globalReference:
properties:
jmesPath:
type: string
name:
type: string
required:
- name
type: object
imageRegistry:
properties:
imageRegistryCredentials:
properties:
allowInsecureRegistry:
type: boolean
providers:
items:
enum:
- default
- amazon
- azure
- google
- github
type: string
type: array
secrets:
items:
type: string
type: array
type: object
jmesPath:
type: string
reference:
type: string
required:
- reference
type: object
name:
type: string
variable:
properties:
default:
x-kubernetes-preserve-unknown-fields: true
jmesPath:
type: string
value:
x-kubernetes-preserve-unknown-fields: true
type: object
required:
- name
type: object
type: array
deny:
properties:
conditions:
x-kubernetes-preserve-unknown-fields: true
type: object
elementScope:
type: boolean
foreach:
x-kubernetes-preserve-unknown-fields: true
list:
type: string
pattern:
x-kubernetes-preserve-unknown-fields: true
preconditions:
properties:
all:
items:
properties:
key:
x-kubernetes-preserve-unknown-fields: true
message:
type: string
operator:
enum:
- Equals
- NotEquals
- In
- AnyIn
- AllIn
- NotIn
- AnyNotIn
- AllNotIn
- GreaterThanOrEquals
- GreaterThan
- LessThanOrEquals
- LessThan
- DurationGreaterThanOrEquals
- DurationGreaterThan
- DurationLessThanOrEquals
- DurationLessThan
type: string
value:
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
any:
items:
properties:
key:
x-kubernetes-preserve-unknown-fields: true
message:
type: string
operator:
enum:
- Equals
- NotEquals
- In
- AnyIn
- AllIn
- NotIn
- AnyNotIn
- AllNotIn
- GreaterThanOrEquals
- GreaterThan
- LessThanOrEquals
- LessThan
- DurationGreaterThanOrEquals
- DurationGreaterThan
- DurationLessThanOrEquals
- DurationLessThan
type: string
value:
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
manifests:
properties:
annotationDomain:
type: string
attestors:
items:
properties:
count:
minimum: 1
type: integer
entries:
items:
properties:
annotations:
additionalProperties:
type: string
type: object
attestor:
x-kubernetes-preserve-unknown-fields: true
certificates:
properties:
cert:
type: string
certChain:
type: string
ctlog:
properties:
ignoreSCT:
type: boolean
pubkey:
type: string
tsaCertChain:
type: string
type: object
rekor:
properties:
ignoreTlog:
type: boolean
pubkey:
type: string
url:
type: string
type: object
type: object
keyless:
properties:
additionalExtensions:
additionalProperties:
type: string
type: object
ctlog:
properties:
ignoreSCT:
type: boolean
pubkey:
type: string
tsaCertChain:
type: string
type: object
issuer:
type: string
issuerRegExp:
type: string
rekor:
properties:
ignoreTlog:
type: boolean
pubkey:
type: string
url:
type: string
type: object
roots:
type: string
subject:
type: string
subjectRegExp:
type: string
type: object
keys:
properties:
ctlog:
properties:
ignoreSCT:
type: boolean
pubkey:
type: string
tsaCertChain:
type: string
type: object
kms:
type: string
publicKeys:
type: string
rekor:
properties:
ignoreTlog:
type: boolean
pubkey:
type: string
url:
type: string
type: object
secret:
properties:
name:
type: string
namespace:
type: string
required:
- name
- namespace
type: object
signatureAlgorithm:
default: sha256
type: string
type: object
repository:
type: string
signatureAlgorithm:
default: sha256
type: string
type: object
type: array
type: object
type: array
dryRun:
properties:
enable:
type: boolean
namespace:
type: string
type: object
ignoreFields:
items:
properties:
fields:
items:
type: string
type: array
objects:
items:
properties:
group:
type: string
kind:
type: string
name:
type: string
namespace:
type: string
version:
type: string
type: object
type: array
type: object
type: array
repository:
type: string
type: object
message:
type: string
pattern:
x-kubernetes-preserve-unknown-fields: true
podSecurity:
properties:
exclude:
items:
properties:
controlName:
enum:
- HostProcess
- Host Namespaces
- Privileged Containers
- Capabilities
- HostPath Volumes
- Host Ports
- AppArmor
- SELinux
- /proc Mount Type
- Seccomp
- Sysctls
- Volume Types
- Privilege Escalation
- Running as Non-root
- Running as Non-root user
type: string
images:
items:
type: string
type: array
restrictedField:
type: string
values:
items:
type: string
type: array
required:
- controlName
type: object
type: array
level:
enum:
- privileged
- baseline
- restricted
type: string
version:
enum:
- v1.19
- v1.20
- v1.21
- v1.22
- v1.23
- v1.24
- v1.25
- v1.26
- v1.27
- v1.28
- v1.29
- latest
type: string
type: object
type: object
verifyImages:
items:
properties:
additionalExtensions:
additionalProperties:
type: string
type: object
annotations:
additionalProperties:
type: string
type: object
attestations:
items:
properties:
attestors:
items:
properties:
count:
minimum: 1
type: integer
entries:
items:
properties:
annotations:
additionalProperties:
type: string
type: object
attestor:
x-kubernetes-preserve-unknown-fields: true
certificates:
properties:
cert:
type: string
certChain:
type: string
ctlog:
properties:
ignoreSCT:
type: boolean
pubkey:
type: string
tsaCertChain:
type: string
type: object
rekor:
properties:
ignoreTlog:
type: boolean
pubkey:
type: string
url:
type: string
type: object
type: object
keyless:
properties:
additionalExtensions:
additionalProperties:
type: string
type: object
ctlog:
properties:
ignoreSCT:
type: boolean
pubkey:
type: string
tsaCertChain:
type: string
type: object
issuer:
type: string
issuerRegExp:
type: string
rekor:
properties:
ignoreTlog:
type: boolean
pubkey:
type: string
url:
type: string
type: object
roots:
type: string
subject:
type: string
subjectRegExp:
type: string
type: object
keys:
properties:
ctlog:
properties:
ignoreSCT:
type: boolean
pubkey:
type: string
tsaCertChain:
type: string
type: object
kms:
type: string
publicKeys:
type: string
rekor:
properties:
ignoreTlog:
type: boolean
pubkey:
type: string
url:
type: string
type: object
secret:
properties:
name:
type: string
namespace:
type: string
required:
- name
- namespace
type: object
signatureAlgorithm:
default: sha256
type: string
type: object
repository:
type: string
signatureAlgorithm:
default: sha256
type: string
type: object
type: array
type: object
type: array
conditions:
items:
properties:
all:
items:
properties:
key:
x-kubernetes-preserve-unknown-fields: true
message:
type: string
operator:
enum:
- Equals
- NotEquals
- In
- AnyIn
- AllIn
- NotIn
- AnyNotIn
- AllNotIn
- GreaterThanOrEquals
- GreaterThan
- LessThanOrEquals
- LessThan
- DurationGreaterThanOrEquals
- DurationGreaterThan
- DurationLessThanOrEquals
- DurationLessThan
type: string
value:
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
any:
items:
properties:
key:
x-kubernetes-preserve-unknown-fields: true
message:
type: string
operator:
enum:
- Equals
- NotEquals
- In
- AnyIn
- AllIn
- NotIn
- AnyNotIn
- AllNotIn
- GreaterThanOrEquals
- GreaterThan
- LessThanOrEquals
- LessThan
- DurationGreaterThanOrEquals
- DurationGreaterThan
- DurationLessThanOrEquals
- DurationLessThan
type: string
value:
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
type: object
type: array
name:
type: string
predicateType:
type: string
type:
type: string
type: object
type: array
attestors:
items:
properties:
count:
minimum: 1
type: integer
entries:
items:
properties:
annotations:
additionalProperties:
type: string
type: object
attestor:
x-kubernetes-preserve-unknown-fields: true
certificates:
properties:
cert:
type: string
certChain:
type: string
ctlog:
properties:
ignoreSCT:
type: boolean
pubkey:
type: string
tsaCertChain:
type: string
type: object
rekor:
properties:
ignoreTlog:
type: boolean
pubkey:
type: string
url:
type: string
type: object
type: object
keyless:
properties:
additionalExtensions:
additionalProperties:
type: string
type: object
ctlog:
properties:
ignoreSCT:
type: boolean
pubkey:
type: string
tsaCertChain:
type: string
type: object
issuer:
type: string
issuerRegExp:
type: string
rekor:
properties:
ignoreTlog:
type: boolean
pubkey:
type: string
url:
type: string
type: object
roots:
type: string
subject:
type: string
subjectRegExp:
type: string
type: object
keys:
properties:
ctlog:
properties:
ignoreSCT:
type: boolean
pubkey:
type: string
tsaCertChain:
type: string
type: object
kms:
type: string
publicKeys:
type: string
rekor:
properties:
ignoreTlog:
type: boolean
pubkey:
type: string
url:
type: string
type: object
secret:
properties:
name:
type: string
namespace:
type: string
required:
- name
- namespace
type: object
signatureAlgorithm:
default: sha256
type: string
type: object
repository:
type: string
signatureAlgorithm:
default: sha256
type: string
type: object
type: array
type: object
type: array
cosignOCI11:
type: boolean
failureAction:
enum:
- Audit
- Enforce
type: string
image:
type: string
imageReferences:
items:
type: string
type: array
imageRegistryCredentials:
properties:
allowInsecureRegistry:
type: boolean
providers:
items:
enum:
- default
- amazon
- azure
- google
- github
type: string
type: array
secrets:
items:
type: string
type: array
type: object
issuer:
type: string
key:
type: string
mutateDigest:
default: true
type: boolean
repository:
type: string
required:
default: true
type: boolean
roots:
type: string
skipImageReferences:
items:
type: string
type: array
subject:
type: string
type:
enum:
- Cosign
- SigstoreBundle
- Notary
type: string
useCache:
default: true
type: boolean
validate:
properties:
deny:
properties:
conditions:
x-kubernetes-preserve-unknown-fields: true
type: object
message:
type: string
type: object
verifyDigest:
default: true
type: boolean
type: object
type: array
required:
- match
- name
type: object
type: array
type: object
conditions:
items:
properties:
lastTransitionTime:
format: date-time
type: string
message:
maxLength: 32768
type: string
observedGeneration:
format: int64
minimum: 0
type: integer
reason:
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
enum:
- "True"
- "False"
- Unknown
type: string
type:
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
ready:
type: boolean
rulecount:
properties:
generate:
type: integer
mutate:
type: integer
validate:
type: integer
verifyimages:
type: integer
required:
- generate
- mutate
- validate
- verifyimages
type: object
validatingadmissionpolicy:
properties:
generated:
type: boolean
message:
type: string
required:
- generated
- message
type: object
type: object
required:
- spec
type: object
served: true
storage: true
subresources:
status: {}
- additionalPrinterColumns:
- jsonPath: .spec.admission
name: ADMISSION
type: boolean
- jsonPath: .spec.background
name: BACKGROUND
type: boolean
- jsonPath: .status.conditions[?(@.type == "Ready")].status
name: READY
type: string
- jsonPath: .metadata.creationTimestamp
name: AGE
type: date
- jsonPath: .spec.failurePolicy
name: FAILURE POLICY
priority: 1
type: string
- jsonPath: .status.rulecount.validate
name: VALIDATE
priority: 1
type: integer
- jsonPath: .status.rulecount.mutate
name: MUTATE
priority: 1
type: integer
- jsonPath: .status.rulecount.generate
name: GENERATE
priority: 1
type: integer
- jsonPath: .status.rulecount.verifyimages
name: VERIFY IMAGES
priority: 1
type: integer
- jsonPath: .status.conditions[?(@.type == "Ready")].message
name: MESSAGE
type: string
name: v2beta1
schema:
openAPIV3Schema:
properties:
apiVersion:
type: string
kind:
type: string
metadata:
type: object
spec:
properties:
admission:
default: true
type: boolean
applyRules:
enum:
- All
- One
type: string
background:
default: true
type: boolean
emitWarning:
default: false
type: boolean
failurePolicy:
enum:
- Ignore
- Fail
type: string
generateExisting:
type: boolean
generateExistingOnPolicyUpdate:
type: boolean
mutateExistingOnPolicyUpdate:
type: boolean
rules:
items:
properties:
celPreconditions:
items:
properties:
expression:
type: string
name:
type: string
required:
- expression
- name
type: object
type: array
context:
items:
oneOf:
- required:
- configMap
- required:
- apiCall
- required:
- imageRegistry
- required:
- variable
- required:
- globalReference
properties:
apiCall:
properties:
data:
items:
properties:
key:
type: string
value:
x-kubernetes-preserve-unknown-fields: true
required:
- key
- value
type: object
type: array
default:
x-kubernetes-preserve-unknown-fields: true
jmesPath:
type: string
method:
default: GET
enum:
- GET
- POST
type: string
service:
properties:
caBundle:
type: string
headers:
items:
properties:
key:
type: string
value:
type: string
required:
- key
- value
type: object
type: array
url:
type: string
required:
- url
type: object
urlPath:
type: string
type: object
configMap:
properties:
name:
type: string
namespace:
type: string
required:
- name
type: object
globalReference:
properties:
jmesPath:
type: string
name:
type: string
required:
- name
type: object
imageRegistry:
properties:
imageRegistryCredentials:
properties:
allowInsecureRegistry:
type: boolean
providers:
items:
enum:
- default
- amazon
- azure
- google
- github
type: string
type: array
secrets:
items:
type: string
type: array
type: object
jmesPath:
type: string
reference:
type: string
required:
- reference
type: object
name:
type: string
variable:
properties:
default:
x-kubernetes-preserve-unknown-fields: true
jmesPath:
type: string
value:
x-kubernetes-preserve-unknown-fields: true
type: object
required:
- name
type: object
type: array
exclude:
not:
required:
- any
- all
properties:
all:
items:
properties:
clusterRoles:
items:
type: string
type: array
resources:
not:
required:
- name
- names
properties:
annotations:
additionalProperties:
type: string
type: object
kinds:
items:
type: string
type: array
name:
type: string
names:
items:
type: string
type: array
namespaceSelector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
operations:
items:
enum:
- CREATE
- CONNECT
- UPDATE
- DELETE
type: string
type: array
selector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
type: object
type: object
x-kubernetes-map-type: atomic
type: object
roles:
items:
type: string
type: array
subjects:
items:
properties:
apiGroup:
type: string
kind:
type: string
name:
type: string
namespace:
type: string
required:
- kind
- name
type: object
x-kubernetes-map-type: atomic
type: array
type: object
type: array
any:
items:
properties:
clusterRoles:
items:
type: string
type: array
resources:
not:
required:
- name
- names
properties:
annotations:
additionalProperties:
type: string
type: object
kinds:
items:
type: string
type: array
name:
type: string
names:
items:
type: string
type: array
namespaceSelector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
operations:
items:
enum:
- CREATE
- CONNECT
- UPDATE
- DELETE
type: string
type: array
selector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
type: object
type: object
x-kubernetes-map-type: atomic
type: object
roles:
items:
type: string
type: array
subjects:
items:
properties:
apiGroup:
type: string
kind:
type: string
name:
type: string
namespace:
type: string
required:
- kind
- name
type: object
x-kubernetes-map-type: atomic
type: array
type: object
type: array
type: object
generate:
properties:
apiVersion:
type: string
clone:
properties:
name:
type: string
namespace:
type: string
type: object
cloneList:
properties:
kinds:
items:
type: string
type: array
namespace:
type: string
selector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
type: object
type: object
x-kubernetes-map-type: atomic
type: object
data:
x-kubernetes-preserve-unknown-fields: true
foreach:
items:
properties:
apiVersion:
type: string
clone:
properties:
name:
type: string
namespace:
type: string
type: object
cloneList:
properties:
kinds:
items:
type: string
type: array
namespace:
type: string
selector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
type: object
type: object
x-kubernetes-map-type: atomic
type: object
context:
items:
oneOf:
- required:
- configMap
- required:
- apiCall
- required:
- imageRegistry
- required:
- variable
- required:
- globalReference
properties:
apiCall:
properties:
data:
items:
properties:
key:
type: string
value:
x-kubernetes-preserve-unknown-fields: true
required:
- key
- value
type: object
type: array
default:
x-kubernetes-preserve-unknown-fields: true
jmesPath:
type: string
method:
default: GET
enum:
- GET
- POST
type: string
service:
properties:
caBundle:
type: string
headers:
items:
properties:
key:
type: string
value:
type: string
required:
- key
- value
type: object
type: array
url:
type: string
required:
- url
type: object
urlPath:
type: string
type: object
configMap:
properties:
name:
type: string
namespace:
type: string
required:
- name
type: object
globalReference:
properties:
jmesPath:
type: string
name:
type: string
required:
- name
type: object
imageRegistry:
properties:
imageRegistryCredentials:
properties:
allowInsecureRegistry:
type: boolean
providers:
items:
enum:
- default
- amazon
- azure
- google
- github
type: string
type: array
secrets:
items:
type: string
type: array
type: object
jmesPath:
type: string
reference:
type: string
required:
- reference
type: object
name:
type: string
variable:
properties:
default:
x-kubernetes-preserve-unknown-fields: true
jmesPath:
type: string
value:
x-kubernetes-preserve-unknown-fields: true
type: object
required:
- name
type: object
type: array
data:
x-kubernetes-preserve-unknown-fields: true
kind:
type: string
list:
type: string
name:
type: string
namespace:
type: string
preconditions:
properties:
all:
items:
properties:
key:
x-kubernetes-preserve-unknown-fields: true
message:
type: string
operator:
enum:
- Equals
- NotEquals
- In
- AnyIn
- AllIn
- NotIn
- AnyNotIn
- AllNotIn
- GreaterThanOrEquals
- GreaterThan
- LessThanOrEquals
- LessThan
- DurationGreaterThanOrEquals
- DurationGreaterThan
- DurationLessThanOrEquals
- DurationLessThan
type: string
value:
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
any:
items:
properties:
key:
x-kubernetes-preserve-unknown-fields: true
message:
type: string
operator:
enum:
- Equals
- NotEquals
- In
- AnyIn
- AllIn
- NotIn
- AnyNotIn
- AllNotIn
- GreaterThanOrEquals
- GreaterThan
- LessThanOrEquals
- LessThan
- DurationGreaterThanOrEquals
- DurationGreaterThan
- DurationLessThanOrEquals
- DurationLessThan
type: string
value:
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
type: object
x-kubernetes-preserve-unknown-fields: true
uid:
type: string
type: object
type: array
generateExisting:
type: boolean
kind:
type: string
name:
type: string
namespace:
type: string
orphanDownstreamOnPolicyDelete:
type: boolean
synchronize:
type: boolean
uid:
type: string
type: object
imageExtractors:
additionalProperties:
items:
properties:
jmesPath:
type: string
key:
type: string
name:
type: string
path:
type: string
value:
type: string
required:
- path
type: object
type: array
type: object
match:
not:
required:
- any
- all
properties:
all:
items:
properties:
clusterRoles:
items:
type: string
type: array
resources:
not:
required:
- name
- names
properties:
annotations:
additionalProperties:
type: string
type: object
kinds:
items:
type: string
type: array
name:
type: string
names:
items:
type: string
type: array
namespaceSelector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
operations:
items:
enum:
- CREATE
- CONNECT
- UPDATE
- DELETE
type: string
type: array
selector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
type: object
type: object
x-kubernetes-map-type: atomic
type: object
roles:
items:
type: string
type: array
subjects:
items:
properties:
apiGroup:
type: string
kind:
type: string
name:
type: string
namespace:
type: string
required:
- kind
- name
type: object
x-kubernetes-map-type: atomic
type: array
type: object
type: array
any:
items:
properties:
clusterRoles:
items:
type: string
type: array
resources:
not:
required:
- name
- names
properties:
annotations:
additionalProperties:
type: string
type: object
kinds:
items:
type: string
type: array
name:
type: string
names:
items:
type: string
type: array
namespaceSelector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
operations:
items:
enum:
- CREATE
- CONNECT
- UPDATE
- DELETE
type: string
type: array
selector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
type: object
type: object
x-kubernetes-map-type: atomic
type: object
roles:
items:
type: string
type: array
subjects:
items:
properties:
apiGroup:
type: string
kind:
type: string
name:
type: string
namespace:
type: string
required:
- kind
- name
type: object
x-kubernetes-map-type: atomic
type: array
type: object
type: array
type: object
mutate:
properties:
foreach:
items:
properties:
context:
items:
oneOf:
- required:
- configMap
- required:
- apiCall
- required:
- imageRegistry
- required:
- variable
- required:
- globalReference
properties:
apiCall:
properties:
data:
items:
properties:
key:
type: string
value:
x-kubernetes-preserve-unknown-fields: true
required:
- key
- value
type: object
type: array
default:
x-kubernetes-preserve-unknown-fields: true
jmesPath:
type: string
method:
default: GET
enum:
- GET
- POST
type: string
service:
properties:
caBundle:
type: string
headers:
items:
properties:
key:
type: string
value:
type: string
required:
- key
- value
type: object
type: array
url:
type: string
required:
- url
type: object
urlPath:
type: string
type: object
configMap:
properties:
name:
type: string
namespace:
type: string
required:
- name
type: object
globalReference:
properties:
jmesPath:
type: string
name:
type: string
required:
- name
type: object
imageRegistry:
properties:
imageRegistryCredentials:
properties:
allowInsecureRegistry:
type: boolean
providers:
items:
enum:
- default
- amazon
- azure
- google
- github
type: string
type: array
secrets:
items:
type: string
type: array
type: object
jmesPath:
type: string
reference:
type: string
required:
- reference
type: object
name:
type: string
variable:
properties:
default:
x-kubernetes-preserve-unknown-fields: true
jmesPath:
type: string
value:
x-kubernetes-preserve-unknown-fields: true
type: object
required:
- name
type: object
type: array
foreach:
x-kubernetes-preserve-unknown-fields: true
list:
type: string
order:
enum:
- Ascending
- Descending
type: string
patchStrategicMerge:
x-kubernetes-preserve-unknown-fields: true
patchesJson6902:
type: string
preconditions:
properties:
all:
items:
properties:
key:
x-kubernetes-preserve-unknown-fields: true
message:
type: string
operator:
enum:
- Equals
- NotEquals
- In
- AnyIn
- AllIn
- NotIn
- AnyNotIn
- AllNotIn
- GreaterThanOrEquals
- GreaterThan
- LessThanOrEquals
- LessThan
- DurationGreaterThanOrEquals
- DurationGreaterThan
- DurationLessThanOrEquals
- DurationLessThan
type: string
value:
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
any:
items:
properties:
key:
x-kubernetes-preserve-unknown-fields: true
message:
type: string
operator:
enum:
- Equals
- NotEquals
- In
- AnyIn
- AllIn
- NotIn
- AnyNotIn
- AllNotIn
- GreaterThanOrEquals
- GreaterThan
- LessThanOrEquals
- LessThan
- DurationGreaterThanOrEquals
- DurationGreaterThan
- DurationLessThanOrEquals
- DurationLessThan
type: string
value:
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
mutateExistingOnPolicyUpdate:
type: boolean
patchStrategicMerge:
x-kubernetes-preserve-unknown-fields: true
patchesJson6902:
type: string
targets:
items:
properties:
apiVersion:
type: string
context:
items:
oneOf:
- required:
- configMap
- required:
- apiCall
- required:
- imageRegistry
- required:
- variable
- required:
- globalReference
properties:
apiCall:
properties:
data:
items:
properties:
key:
type: string
value:
x-kubernetes-preserve-unknown-fields: true
required:
- key
- value
type: object
type: array
default:
x-kubernetes-preserve-unknown-fields: true
jmesPath:
type: string
method:
default: GET
enum:
- GET
- POST
type: string
service:
properties:
caBundle:
type: string
headers:
items:
properties:
key:
type: string
value:
type: string
required:
- key
- value
type: object
type: array
url:
type: string
required:
- url
type: object
urlPath:
type: string
type: object
configMap:
properties:
name:
type: string
namespace:
type: string
required:
- name
type: object
globalReference:
properties:
jmesPath:
type: string
name:
type: string
required:
- name
type: object
imageRegistry:
properties:
imageRegistryCredentials:
properties:
allowInsecureRegistry:
type: boolean
providers:
items:
enum:
- default
- amazon
- azure
- google
- github
type: string
type: array
secrets:
items:
type: string
type: array
type: object
jmesPath:
type: string
reference:
type: string
required:
- reference
type: object
name:
type: string
variable:
properties:
default:
x-kubernetes-preserve-unknown-fields: true
jmesPath:
type: string
value:
x-kubernetes-preserve-unknown-fields: true
type: object
required:
- name
type: object
type: array
kind:
type: string
name:
type: string
namespace:
type: string
preconditions:
x-kubernetes-preserve-unknown-fields: true
selector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
type: object
type: object
x-kubernetes-map-type: atomic
uid:
type: string
type: object
type: array
type: object
name:
maxLength: 63
type: string
preconditions:
properties:
all:
items:
properties:
key:
x-kubernetes-preserve-unknown-fields: true
message:
type: string
operator:
enum:
- Equals
- NotEquals
- AnyIn
- AllIn
- AnyNotIn
- AllNotIn
- GreaterThanOrEquals
- GreaterThan
- LessThanOrEquals
- LessThan
- DurationGreaterThanOrEquals
- DurationGreaterThan
- DurationLessThanOrEquals
- DurationLessThan
type: string
value:
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
any:
items:
properties:
key:
x-kubernetes-preserve-unknown-fields: true
message:
type: string
operator:
enum:
- Equals
- NotEquals
- AnyIn
- AllIn
- AnyNotIn
- AllNotIn
- GreaterThanOrEquals
- GreaterThan
- LessThanOrEquals
- LessThan
- DurationGreaterThanOrEquals
- DurationGreaterThan
- DurationLessThanOrEquals
- DurationLessThan
type: string
value:
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
type: object
skipBackgroundRequests:
default: true
type: boolean
validate:
properties:
anyPattern:
x-kubernetes-preserve-unknown-fields: true
assert:
type: object
x-kubernetes-preserve-unknown-fields: true
cel:
properties:
auditAnnotations:
items:
properties:
key:
type: string
valueExpression:
type: string
required:
- key
- valueExpression
type: object
type: array
expressions:
items:
properties:
expression:
type: string
message:
type: string
messageExpression:
type: string
reason:
type: string
required:
- expression
type: object
type: array
generate:
default: false
type: boolean
paramKind:
properties:
apiVersion:
type: string
kind:
type: string
type: object
x-kubernetes-map-type: atomic
paramRef:
properties:
name:
type: string
namespace:
type: string
parameterNotFoundAction:
type: string
selector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
type: object
type: object
x-kubernetes-map-type: atomic
type: object
x-kubernetes-map-type: atomic
variables:
items:
properties:
expression:
type: string
name:
type: string
required:
- expression
- name
type: object
x-kubernetes-map-type: atomic
type: array
type: object
deny:
properties:
conditions:
properties:
all:
items:
properties:
key:
x-kubernetes-preserve-unknown-fields: true
message:
type: string
operator:
enum:
- Equals
- NotEquals
- AnyIn
- AllIn
- AnyNotIn
- AllNotIn
- GreaterThanOrEquals
- GreaterThan
- LessThanOrEquals
- LessThan
- DurationGreaterThanOrEquals
- DurationGreaterThan
- DurationLessThanOrEquals
- DurationLessThan
type: string
value:
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
any:
items:
properties:
key:
x-kubernetes-preserve-unknown-fields: true
message:
type: string
operator:
enum:
- Equals
- NotEquals
- AnyIn
- AllIn
- AnyNotIn
- AllNotIn
- GreaterThanOrEquals
- GreaterThan
- LessThanOrEquals
- LessThan
- DurationGreaterThanOrEquals
- DurationGreaterThan
- DurationLessThanOrEquals
- DurationLessThan
type: string
value:
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
type: object
type: object
failureAction:
enum:
- Audit
- Enforce
type: string
failureActionOverrides:
items:
properties:
action:
enum:
- audit
- enforce
- Audit
- Enforce
type: string
namespaceSelector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
type: object
type: array
foreach:
items:
properties:
anyPattern:
x-kubernetes-preserve-unknown-fields: true
context:
items:
oneOf:
- required:
- configMap
- required:
- apiCall
- required:
- imageRegistry
- required:
- variable
- required:
- globalReference
properties:
apiCall:
properties:
data:
items:
properties:
key:
type: string
value:
x-kubernetes-preserve-unknown-fields: true
required:
- key
- value
type: object
type: array
default:
x-kubernetes-preserve-unknown-fields: true
jmesPath:
type: string
method:
default: GET
enum:
- GET
- POST
type: string
service:
properties:
caBundle:
type: string
headers:
items:
properties:
key:
type: string
value:
type: string
required:
- key
- value
type: object
type: array
url:
type: string
required:
- url
type: object
urlPath:
type: string
type: object
configMap:
properties:
name:
type: string
namespace:
type: string
required:
- name
type: object
globalReference:
properties:
jmesPath:
type: string
name:
type: string
required:
- name
type: object
imageRegistry:
properties:
imageRegistryCredentials:
properties:
allowInsecureRegistry:
type: boolean
providers:
items:
enum:
- default
- amazon
- azure
- google
- github
type: string
type: array
secrets:
items:
type: string
type: array
type: object
jmesPath:
type: string
reference:
type: string
required:
- reference
type: object
name:
type: string
variable:
properties:
default:
x-kubernetes-preserve-unknown-fields: true
jmesPath:
type: string
value:
x-kubernetes-preserve-unknown-fields: true
type: object
required:
- name
type: object
type: array
deny:
properties:
conditions:
x-kubernetes-preserve-unknown-fields: true
type: object
elementScope:
type: boolean
foreach:
x-kubernetes-preserve-unknown-fields: true
list:
type: string
pattern:
x-kubernetes-preserve-unknown-fields: true
preconditions:
properties:
all:
items:
properties:
key:
x-kubernetes-preserve-unknown-fields: true
message:
type: string
operator:
enum:
- Equals
- NotEquals
- In
- AnyIn
- AllIn
- NotIn
- AnyNotIn
- AllNotIn
- GreaterThanOrEquals
- GreaterThan
- LessThanOrEquals
- LessThan
- DurationGreaterThanOrEquals
- DurationGreaterThan
- DurationLessThanOrEquals
- DurationLessThan
type: string
value:
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
any:
items:
properties:
key:
x-kubernetes-preserve-unknown-fields: true
message:
type: string
operator:
enum:
- Equals
- NotEquals
- In
- AnyIn
- AllIn
- NotIn
- AnyNotIn
- AllNotIn
- GreaterThanOrEquals
- GreaterThan
- LessThanOrEquals
- LessThan
- DurationGreaterThanOrEquals
- DurationGreaterThan
- DurationLessThanOrEquals
- DurationLessThan
type: string
value:
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
manifests:
properties:
annotationDomain:
type: string
attestors:
items:
properties:
count:
minimum: 1
type: integer
entries:
items:
properties:
annotations:
additionalProperties:
type: string
type: object
attestor:
x-kubernetes-preserve-unknown-fields: true
certificates:
properties:
cert:
type: string
certChain:
type: string
ctlog:
properties:
ignoreSCT:
type: boolean
pubkey:
type: string
tsaCertChain:
type: string
type: object
rekor:
properties:
ignoreTlog:
type: boolean
pubkey:
type: string
url:
type: string
type: object
type: object
keyless:
properties:
additionalExtensions:
additionalProperties:
type: string
type: object
ctlog:
properties:
ignoreSCT:
type: boolean
pubkey:
type: string
tsaCertChain:
type: string
type: object
issuer:
type: string
issuerRegExp:
type: string
rekor:
properties:
ignoreTlog:
type: boolean
pubkey:
type: string
url:
type: string
type: object
roots:
type: string
subject:
type: string
subjectRegExp:
type: string
type: object
keys:
properties:
ctlog:
properties:
ignoreSCT:
type: boolean
pubkey:
type: string
tsaCertChain:
type: string
type: object
kms:
type: string
publicKeys:
type: string
rekor:
properties:
ignoreTlog:
type: boolean
pubkey:
type: string
url:
type: string
type: object
secret:
properties:
name:
type: string
namespace:
type: string
required:
- name
- namespace
type: object
signatureAlgorithm:
default: sha256
type: string
type: object
repository:
type: string
signatureAlgorithm:
default: sha256
type: string
type: object
type: array
type: object
type: array
dryRun:
properties:
enable:
type: boolean
namespace:
type: string
type: object
ignoreFields:
items:
properties:
fields:
items:
type: string
type: array
objects:
items:
properties:
group:
type: string
kind:
type: string
name:
type: string
namespace:
type: string
version:
type: string
type: object
type: array
type: object
type: array
repository:
type: string
type: object
message:
type: string
pattern:
x-kubernetes-preserve-unknown-fields: true
podSecurity:
properties:
exclude:
items:
properties:
controlName:
enum:
- HostProcess
- Host Namespaces
- Privileged Containers
- Capabilities
- HostPath Volumes
- Host Ports
- AppArmor
- SELinux
- /proc Mount Type
- Seccomp
- Sysctls
- Volume Types
- Privilege Escalation
- Running as Non-root
- Running as Non-root user
type: string
images:
items:
type: string
type: array
restrictedField:
type: string
values:
items:
type: string
type: array
required:
- controlName
type: object
type: array
level:
enum:
- privileged
- baseline
- restricted
type: string
version:
enum:
- v1.19
- v1.20
- v1.21
- v1.22
- v1.23
- v1.24
- v1.25
- v1.26
- v1.27
- v1.28
- v1.29
- latest
type: string
type: object
type: object
verifyImages:
items:
properties:
attestations:
items:
properties:
attestors:
items:
properties:
count:
minimum: 1
type: integer
entries:
items:
properties:
annotations:
additionalProperties:
type: string
type: object
attestor:
x-kubernetes-preserve-unknown-fields: true
certificates:
properties:
cert:
type: string
certChain:
type: string
ctlog:
properties:
ignoreSCT:
type: boolean
pubkey:
type: string
tsaCertChain:
type: string
type: object
rekor:
properties:
ignoreTlog:
type: boolean
pubkey:
type: string
url:
type: string
type: object
type: object
keyless:
properties:
additionalExtensions:
additionalProperties:
type: string
type: object
ctlog:
properties:
ignoreSCT:
type: boolean
pubkey:
type: string
tsaCertChain:
type: string
type: object
issuer:
type: string
issuerRegExp:
type: string
rekor:
properties:
ignoreTlog:
type: boolean
pubkey:
type: string
url:
type: string
type: object
roots:
type: string
subject:
type: string
subjectRegExp:
type: string
type: object
keys:
properties:
ctlog:
properties:
ignoreSCT:
type: boolean
pubkey:
type: string
tsaCertChain:
type: string
type: object
kms:
type: string
publicKeys:
type: string
rekor:
properties:
ignoreTlog:
type: boolean
pubkey:
type: string
url:
type: string
type: object
secret:
properties:
name:
type: string
namespace:
type: string
required:
- name
- namespace
type: object
signatureAlgorithm:
default: sha256
type: string
type: object
repository:
type: string
signatureAlgorithm:
default: sha256
type: string
type: object
type: array
type: object
type: array
conditions:
items:
properties:
all:
items:
properties:
key:
x-kubernetes-preserve-unknown-fields: true
message:
type: string
operator:
enum:
- Equals
- NotEquals
- In
- AnyIn
- AllIn
- NotIn
- AnyNotIn
- AllNotIn
- GreaterThanOrEquals
- GreaterThan
- LessThanOrEquals
- LessThan
- DurationGreaterThanOrEquals
- DurationGreaterThan
- DurationLessThanOrEquals
- DurationLessThan
type: string
value:
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
any:
items:
properties:
key:
x-kubernetes-preserve-unknown-fields: true
message:
type: string
operator:
enum:
- Equals
- NotEquals
- In
- AnyIn
- AllIn
- NotIn
- AnyNotIn
- AllNotIn
- GreaterThanOrEquals
- GreaterThan
- LessThanOrEquals
- LessThan
- DurationGreaterThanOrEquals
- DurationGreaterThan
- DurationLessThanOrEquals
- DurationLessThan
type: string
value:
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
type: object
type: array
name:
type: string
predicateType:
type: string
type:
type: string
type: object
type: array
attestors:
items:
properties:
count:
minimum: 1
type: integer
entries:
items:
properties:
annotations:
additionalProperties:
type: string
type: object
attestor:
x-kubernetes-preserve-unknown-fields: true
certificates:
properties:
cert:
type: string
certChain:
type: string
ctlog:
properties:
ignoreSCT:
type: boolean
pubkey:
type: string
tsaCertChain:
type: string
type: object
rekor:
properties:
ignoreTlog:
type: boolean
pubkey:
type: string
url:
type: string
type: object
type: object
keyless:
properties:
additionalExtensions:
additionalProperties:
type: string
type: object
ctlog:
properties:
ignoreSCT:
type: boolean
pubkey:
type: string
tsaCertChain:
type: string
type: object
issuer:
type: string
issuerRegExp:
type: string
rekor:
properties:
ignoreTlog:
type: boolean
pubkey:
type: string
url:
type: string
type: object
roots:
type: string
subject:
type: string
subjectRegExp:
type: string
type: object
keys:
properties:
ctlog:
properties:
ignoreSCT:
type: boolean
pubkey:
type: string
tsaCertChain:
type: string
type: object
kms:
type: string
publicKeys:
type: string
rekor:
properties:
ignoreTlog:
type: boolean
pubkey:
type: string
url:
type: string
type: object
secret:
properties:
name:
type: string
namespace:
type: string
required:
- name
- namespace
type: object
signatureAlgorithm:
default: sha256
type: string
type: object
repository:
type: string
signatureAlgorithm:
default: sha256
type: string
type: object
type: array
type: object
type: array
failureAction:
enum:
- Audit
- Enforce
type: string
imageReferences:
items:
type: string
type: array
imageRegistryCredentials:
properties:
allowInsecureRegistry:
type: boolean
providers:
items:
enum:
- default
- amazon
- azure
- google
- github
type: string
type: array
secrets:
items:
type: string
type: array
type: object
mutateDigest:
default: true
type: boolean
repository:
type: string
required:
default: true
type: boolean
skipImageReferences:
items:
type: string
type: array
type:
enum:
- Cosign
- SigstoreBundle
- Notary
type: string
useCache:
default: true
type: boolean
validate:
properties:
deny:
properties:
conditions:
x-kubernetes-preserve-unknown-fields: true
type: object
message:
type: string
type: object
verifyDigest:
default: true
type: boolean
type: object
type: array
required:
- match
- name
type: object
type: array
schemaValidation:
type: boolean
useServerSideApply:
type: boolean
validationFailureAction:
default: Audit
enum:
- audit
- enforce
- Audit
- Enforce
type: string
validationFailureActionOverrides:
items:
properties:
action:
enum:
- audit
- enforce
- Audit
- Enforce
type: string
namespaceSelector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
type: object
type: array
webhookConfiguration:
properties:
failurePolicy:
enum:
- Ignore
- Fail
type: string
matchConditions:
items:
properties:
expression:
type: string
name:
type: string
required:
- expression
- name
type: object
type: array
timeoutSeconds:
format: int32
type: integer
type: object
webhookTimeoutSeconds:
format: int32
type: integer
type: object
status:
properties:
autogen:
properties:
rules:
items:
properties:
celPreconditions:
items:
properties:
expression:
type: string
name:
type: string
required:
- expression
- name
type: object
type: array
context:
items:
oneOf:
- required:
- configMap
- required:
- apiCall
- required:
- imageRegistry
- required:
- variable
- required:
- globalReference
properties:
apiCall:
properties:
data:
items:
properties:
key:
type: string
value:
x-kubernetes-preserve-unknown-fields: true
required:
- key
- value
type: object
type: array
default:
x-kubernetes-preserve-unknown-fields: true
jmesPath:
type: string
method:
default: GET
enum:
- GET
- POST
type: string
service:
properties:
caBundle:
type: string
headers:
items:
properties:
key:
type: string
value:
type: string
required:
- key
- value
type: object
type: array
url:
type: string
required:
- url
type: object
urlPath:
type: string
type: object
configMap:
properties:
name:
type: string
namespace:
type: string
required:
- name
type: object
globalReference:
properties:
jmesPath:
type: string
name:
type: string
required:
- name
type: object
imageRegistry:
properties:
imageRegistryCredentials:
properties:
allowInsecureRegistry:
type: boolean
providers:
items:
enum:
- default
- amazon
- azure
- google
- github
type: string
type: array
secrets:
items:
type: string
type: array
type: object
jmesPath:
type: string
reference:
type: string
required:
- reference
type: object
name:
type: string
variable:
properties:
default:
x-kubernetes-preserve-unknown-fields: true
jmesPath:
type: string
value:
x-kubernetes-preserve-unknown-fields: true
type: object
required:
- name
type: object
type: array
exclude:
not:
required:
- any
- all
properties:
all:
items:
properties:
clusterRoles:
items:
type: string
type: array
resources:
not:
required:
- name
- names
properties:
annotations:
additionalProperties:
type: string
type: object
kinds:
items:
type: string
type: array
name:
type: string
names:
items:
type: string
type: array
namespaceSelector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
operations:
items:
enum:
- CREATE
- CONNECT
- UPDATE
- DELETE
type: string
type: array
selector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
type: object
type: object
x-kubernetes-map-type: atomic
type: object
roles:
items:
type: string
type: array
subjects:
items:
properties:
apiGroup:
type: string
kind:
type: string
name:
type: string
namespace:
type: string
required:
- kind
- name
type: object
x-kubernetes-map-type: atomic
type: array
type: object
type: array
any:
items:
properties:
clusterRoles:
items:
type: string
type: array
resources:
not:
required:
- name
- names
properties:
annotations:
additionalProperties:
type: string
type: object
kinds:
items:
type: string
type: array
name:
type: string
names:
items:
type: string
type: array
namespaceSelector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
operations:
items:
enum:
- CREATE
- CONNECT
- UPDATE
- DELETE
type: string
type: array
selector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
type: object
type: object
x-kubernetes-map-type: atomic
type: object
roles:
items:
type: string
type: array
subjects:
items:
properties:
apiGroup:
type: string
kind:
type: string
name:
type: string
namespace:
type: string
required:
- kind
- name
type: object
x-kubernetes-map-type: atomic
type: array
type: object
type: array
clusterRoles:
items:
type: string
type: array
resources:
not:
required:
- name
- names
properties:
annotations:
additionalProperties:
type: string
type: object
kinds:
items:
type: string
type: array
name:
type: string
names:
items:
type: string
type: array
namespaceSelector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
operations:
items:
enum:
- CREATE
- CONNECT
- UPDATE
- DELETE
type: string
type: array
selector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
type: object
type: object
x-kubernetes-map-type: atomic
type: object
roles:
items:
type: string
type: array
subjects:
items:
properties:
apiGroup:
type: string
kind:
type: string
name:
type: string
namespace:
type: string
required:
- kind
- name
type: object
x-kubernetes-map-type: atomic
type: array
type: object
generate:
properties:
apiVersion:
type: string
clone:
properties:
name:
type: string
namespace:
type: string
type: object
cloneList:
properties:
kinds:
items:
type: string
type: array
namespace:
type: string
selector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
type: object
type: object
x-kubernetes-map-type: atomic
type: object
data:
x-kubernetes-preserve-unknown-fields: true
foreach:
items:
properties:
apiVersion:
type: string
clone:
properties:
name:
type: string
namespace:
type: string
type: object
cloneList:
properties:
kinds:
items:
type: string
type: array
namespace:
type: string
selector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
type: object
type: object
x-kubernetes-map-type: atomic
type: object
context:
items:
oneOf:
- required:
- configMap
- required:
- apiCall
- required:
- imageRegistry
- required:
- variable
- required:
- globalReference
properties:
apiCall:
properties:
data:
items:
properties:
key:
type: string
value:
x-kubernetes-preserve-unknown-fields: true
required:
- key
- value
type: object
type: array
default:
x-kubernetes-preserve-unknown-fields: true
jmesPath:
type: string
method:
default: GET
enum:
- GET
- POST
type: string
service:
properties:
caBundle:
type: string
headers:
items:
properties:
key:
type: string
value:
type: string
required:
- key
- value
type: object
type: array
url:
type: string
required:
- url
type: object
urlPath:
type: string
type: object
configMap:
properties:
name:
type: string
namespace:
type: string
required:
- name
type: object
globalReference:
properties:
jmesPath:
type: string
name:
type: string
required:
- name
type: object
imageRegistry:
properties:
imageRegistryCredentials:
properties:
allowInsecureRegistry:
type: boolean
providers:
items:
enum:
- default
- amazon
- azure
- google
- github
type: string
type: array
secrets:
items:
type: string
type: array
type: object
jmesPath:
type: string
reference:
type: string
required:
- reference
type: object
name:
type: string
variable:
properties:
default:
x-kubernetes-preserve-unknown-fields: true
jmesPath:
type: string
value:
x-kubernetes-preserve-unknown-fields: true
type: object
required:
- name
type: object
type: array
data:
x-kubernetes-preserve-unknown-fields: true
kind:
type: string
list:
type: string
name:
type: string
namespace:
type: string
preconditions:
properties:
all:
items:
properties:
key:
x-kubernetes-preserve-unknown-fields: true
message:
type: string
operator:
enum:
- Equals
- NotEquals
- In
- AnyIn
- AllIn
- NotIn
- AnyNotIn
- AllNotIn
- GreaterThanOrEquals
- GreaterThan
- LessThanOrEquals
- LessThan
- DurationGreaterThanOrEquals
- DurationGreaterThan
- DurationLessThanOrEquals
- DurationLessThan
type: string
value:
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
any:
items:
properties:
key:
x-kubernetes-preserve-unknown-fields: true
message:
type: string
operator:
enum:
- Equals
- NotEquals
- In
- AnyIn
- AllIn
- NotIn
- AnyNotIn
- AllNotIn
- GreaterThanOrEquals
- GreaterThan
- LessThanOrEquals
- LessThan
- DurationGreaterThanOrEquals
- DurationGreaterThan
- DurationLessThanOrEquals
- DurationLessThan
type: string
value:
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
type: object
x-kubernetes-preserve-unknown-fields: true
uid:
type: string
type: object
type: array
generateExisting:
type: boolean
kind:
type: string
name:
type: string
namespace:
type: string
orphanDownstreamOnPolicyDelete:
type: boolean
synchronize:
type: boolean
uid:
type: string
type: object
imageExtractors:
additionalProperties:
items:
properties:
jmesPath:
type: string
key:
type: string
name:
type: string
path:
type: string
value:
type: string
required:
- path
type: object
type: array
type: object
match:
not:
required:
- any
- all
properties:
all:
items:
properties:
clusterRoles:
items:
type: string
type: array
resources:
not:
required:
- name
- names
properties:
annotations:
additionalProperties:
type: string
type: object
kinds:
items:
type: string
type: array
name:
type: string
names:
items:
type: string
type: array
namespaceSelector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
operations:
items:
enum:
- CREATE
- CONNECT
- UPDATE
- DELETE
type: string
type: array
selector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
type: object
type: object
x-kubernetes-map-type: atomic
type: object
roles:
items:
type: string
type: array
subjects:
items:
properties:
apiGroup:
type: string
kind:
type: string
name:
type: string
namespace:
type: string
required:
- kind
- name
type: object
x-kubernetes-map-type: atomic
type: array
type: object
type: array
any:
items:
properties:
clusterRoles:
items:
type: string
type: array
resources:
not:
required:
- name
- names
properties:
annotations:
additionalProperties:
type: string
type: object
kinds:
items:
type: string
type: array
name:
type: string
names:
items:
type: string
type: array
namespaceSelector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
operations:
items:
enum:
- CREATE
- CONNECT
- UPDATE
- DELETE
type: string
type: array
selector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
type: object
type: object
x-kubernetes-map-type: atomic
type: object
roles:
items:
type: string
type: array
subjects:
items:
properties:
apiGroup:
type: string
kind:
type: string
name:
type: string
namespace:
type: string
required:
- kind
- name
type: object
x-kubernetes-map-type: atomic
type: array
type: object
type: array
clusterRoles:
items:
type: string
type: array
resources:
not:
required:
- name
- names
properties:
annotations:
additionalProperties:
type: string
type: object
kinds:
items:
type: string
type: array
name:
type: string
names:
items:
type: string
type: array
namespaceSelector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
operations:
items:
enum:
- CREATE
- CONNECT
- UPDATE
- DELETE
type: string
type: array
selector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
type: object
type: object
x-kubernetes-map-type: atomic
type: object
roles:
items:
type: string
type: array
subjects:
items:
properties:
apiGroup:
type: string
kind:
type: string
name:
type: string
namespace:
type: string
required:
- kind
- name
type: object
x-kubernetes-map-type: atomic
type: array
type: object
mutate:
properties:
foreach:
items:
properties:
context:
items:
oneOf:
- required:
- configMap
- required:
- apiCall
- required:
- imageRegistry
- required:
- variable
- required:
- globalReference
properties:
apiCall:
properties:
data:
items:
properties:
key:
type: string
value:
x-kubernetes-preserve-unknown-fields: true
required:
- key
- value
type: object
type: array
default:
x-kubernetes-preserve-unknown-fields: true
jmesPath:
type: string
method:
default: GET
enum:
- GET
- POST
type: string
service:
properties:
caBundle:
type: string
headers:
items:
properties:
key:
type: string
value:
type: string
required:
- key
- value
type: object
type: array
url:
type: string
required:
- url
type: object
urlPath:
type: string
type: object
configMap:
properties:
name:
type: string
namespace:
type: string
required:
- name
type: object
globalReference:
properties:
jmesPath:
type: string
name:
type: string
required:
- name
type: object
imageRegistry:
properties:
imageRegistryCredentials:
properties:
allowInsecureRegistry:
type: boolean
providers:
items:
enum:
- default
- amazon
- azure
- google
- github
type: string
type: array
secrets:
items:
type: string
type: array
type: object
jmesPath:
type: string
reference:
type: string
required:
- reference
type: object
name:
type: string
variable:
properties:
default:
x-kubernetes-preserve-unknown-fields: true
jmesPath:
type: string
value:
x-kubernetes-preserve-unknown-fields: true
type: object
required:
- name
type: object
type: array
foreach:
x-kubernetes-preserve-unknown-fields: true
list:
type: string
order:
enum:
- Ascending
- Descending
type: string
patchStrategicMerge:
x-kubernetes-preserve-unknown-fields: true
patchesJson6902:
type: string
preconditions:
properties:
all:
items:
properties:
key:
x-kubernetes-preserve-unknown-fields: true
message:
type: string
operator:
enum:
- Equals
- NotEquals
- In
- AnyIn
- AllIn
- NotIn
- AnyNotIn
- AllNotIn
- GreaterThanOrEquals
- GreaterThan
- LessThanOrEquals
- LessThan
- DurationGreaterThanOrEquals
- DurationGreaterThan
- DurationLessThanOrEquals
- DurationLessThan
type: string
value:
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
any:
items:
properties:
key:
x-kubernetes-preserve-unknown-fields: true
message:
type: string
operator:
enum:
- Equals
- NotEquals
- In
- AnyIn
- AllIn
- NotIn
- AnyNotIn
- AllNotIn
- GreaterThanOrEquals
- GreaterThan
- LessThanOrEquals
- LessThan
- DurationGreaterThanOrEquals
- DurationGreaterThan
- DurationLessThanOrEquals
- DurationLessThan
type: string
value:
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
mutateExistingOnPolicyUpdate:
type: boolean
patchStrategicMerge:
x-kubernetes-preserve-unknown-fields: true
patchesJson6902:
type: string
targets:
items:
properties:
apiVersion:
type: string
context:
items:
oneOf:
- required:
- configMap
- required:
- apiCall
- required:
- imageRegistry
- required:
- variable
- required:
- globalReference
properties:
apiCall:
properties:
data:
items:
properties:
key:
type: string
value:
x-kubernetes-preserve-unknown-fields: true
required:
- key
- value
type: object
type: array
default:
x-kubernetes-preserve-unknown-fields: true
jmesPath:
type: string
method:
default: GET
enum:
- GET
- POST
type: string
service:
properties:
caBundle:
type: string
headers:
items:
properties:
key:
type: string
value:
type: string
required:
- key
- value
type: object
type: array
url:
type: string
required:
- url
type: object
urlPath:
type: string
type: object
configMap:
properties:
name:
type: string
namespace:
type: string
required:
- name
type: object
globalReference:
properties:
jmesPath:
type: string
name:
type: string
required:
- name
type: object
imageRegistry:
properties:
imageRegistryCredentials:
properties:
allowInsecureRegistry:
type: boolean
providers:
items:
enum:
- default
- amazon
- azure
- google
- github
type: string
type: array
secrets:
items:
type: string
type: array
type: object
jmesPath:
type: string
reference:
type: string
required:
- reference
type: object
name:
type: string
variable:
properties:
default:
x-kubernetes-preserve-unknown-fields: true
jmesPath:
type: string
value:
x-kubernetes-preserve-unknown-fields: true
type: object
required:
- name
type: object
type: array
kind:
type: string
name:
type: string
namespace:
type: string
preconditions:
x-kubernetes-preserve-unknown-fields: true
selector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
type: object
type: object
x-kubernetes-map-type: atomic
uid:
type: string
type: object
type: array
type: object
name:
maxLength: 63
type: string
preconditions:
x-kubernetes-preserve-unknown-fields: true
reportProperties:
additionalProperties:
type: string
type: object
skipBackgroundRequests:
default: true
type: boolean
validate:
properties:
allowExistingViolations:
default: true
type: boolean
anyPattern:
x-kubernetes-preserve-unknown-fields: true
assert:
type: object
x-kubernetes-preserve-unknown-fields: true
cel:
properties:
auditAnnotations:
items:
properties:
key:
type: string
valueExpression:
type: string
required:
- key
- valueExpression
type: object
type: array
expressions:
items:
properties:
expression:
type: string
message:
type: string
messageExpression:
type: string
reason:
type: string
required:
- expression
type: object
type: array
generate:
default: false
type: boolean
paramKind:
properties:
apiVersion:
type: string
kind:
type: string
type: object
x-kubernetes-map-type: atomic
paramRef:
properties:
name:
type: string
namespace:
type: string
parameterNotFoundAction:
type: string
selector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
type: object
type: object
x-kubernetes-map-type: atomic
type: object
x-kubernetes-map-type: atomic
variables:
items:
properties:
expression:
type: string
name:
type: string
required:
- expression
- name
type: object
x-kubernetes-map-type: atomic
type: array
type: object
deny:
properties:
conditions:
x-kubernetes-preserve-unknown-fields: true
type: object
failureAction:
enum:
- Audit
- Enforce
type: string
failureActionOverrides:
items:
properties:
action:
enum:
- audit
- enforce
- Audit
- Enforce
type: string
namespaceSelector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
x-kubernetes-list-type: atomic
required:
- key
- operator
type: object
type: array
x-kubernetes-list-type: atomic
matchLabels:
additionalProperties:
type: string
type: object
type: object
x-kubernetes-map-type: atomic
namespaces:
items:
type: string
type: array
type: object
type: array
foreach:
items:
properties:
anyPattern:
x-kubernetes-preserve-unknown-fields: true
context:
items:
oneOf:
- required:
- configMap
- required:
- apiCall
- required:
- imageRegistry
- required:
- variable
- required:
- globalReference
properties:
apiCall:
properties:
data:
items:
properties:
key:
type: string
value:
x-kubernetes-preserve-unknown-fields: true
required:
- key
- value
type: object
type: array
default:
x-kubernetes-preserve-unknown-fields: true
jmesPath:
type: string
method:
default: GET
enum:
- GET
- POST
type: string
service:
properties:
caBundle:
type: string
headers:
items:
properties:
key:
type: string
value:
type: string
required:
- key
- value
type: object
type: array
url:
type: string
required:
- url
type: object
urlPath:
type: string
type: object
configMap:
properties:
name:
type: string
namespace:
type: string
required:
- name
type: object
globalReference:
properties:
jmesPath:
type: string
name:
type: string
required:
- name
type: object
imageRegistry:
properties:
imageRegistryCredentials:
properties:
allowInsecureRegistry:
type: boolean
providers:
items:
enum:
- default
- amazon
- azure
- google
- github
type: string
type: array
secrets:
items:
type: string
type: array
type: object
jmesPath:
type: string
reference:
type: string
required:
- reference
type: object
name:
type: string
variable:
properties:
default:
x-kubernetes-preserve-unknown-fields: true
jmesPath:
type: string
value:
x-kubernetes-preserve-unknown-fields: true
type: object
required:
- name
type: object
type: array
deny:
properties:
conditions:
x-kubernetes-preserve-unknown-fields: true
type: object
elementScope:
type: boolean
foreach:
x-kubernetes-preserve-unknown-fields: true
list:
type: string
pattern:
x-kubernetes-preserve-unknown-fields: true
preconditions:
properties:
all:
items:
properties:
key:
x-kubernetes-preserve-unknown-fields: true
message:
type: string
operator:
enum:
- Equals
- NotEquals
- In
- AnyIn
- AllIn
- NotIn
- AnyNotIn
- AllNotIn
- GreaterThanOrEquals
- GreaterThan
- LessThanOrEquals
- LessThan
- DurationGreaterThanOrEquals
- DurationGreaterThan
- DurationLessThanOrEquals
- DurationLessThan
type: string
value:
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
any:
items:
properties:
key:
x-kubernetes-preserve-unknown-fields: true
message:
type: string
operator:
enum:
- Equals
- NotEquals
- In
- AnyIn
- AllIn
- NotIn
- AnyNotIn
- AllNotIn
- GreaterThanOrEquals
- GreaterThan
- LessThanOrEquals
- LessThan
- DurationGreaterThanOrEquals
- DurationGreaterThan
- DurationLessThanOrEquals
- DurationLessThan
type: string
value:
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
manifests:
properties:
annotationDomain:
type: string
attestors:
items:
properties:
count:
minimum: 1
type: integer
entries:
items:
properties:
annotations:
additionalProperties:
type: string
type: object
attestor:
x-kubernetes-preserve-unknown-fields: true
certificates:
properties:
cert:
type: string
certChain:
type: string
ctlog:
properties:
ignoreSCT:
type: boolean
pubkey:
type: string
tsaCertChain:
type: string
type: object
rekor:
properties:
ignoreTlog:
type: boolean
pubkey:
type: string
url:
type: string
type: object
type: object
keyless:
properties:
additionalExtensions:
additionalProperties:
type: string
type: object
ctlog:
properties:
ignoreSCT:
type: boolean
pubkey:
type: string
tsaCertChain:
type: string
type: object
issuer:
type: string
issuerRegExp:
type: string
rekor:
properties:
ignoreTlog:
type: boolean
pubkey:
type: string
url:
type: string
type: object
roots:
type: string
subject:
type: string
subjectRegExp:
type: string
type: object
keys:
properties:
ctlog:
properties:
ignoreSCT:
type: boolean
pubkey:
type: string
tsaCertChain:
type: string
type: object
kms:
type: string
publicKeys:
type: string
rekor:
properties:
ignoreTlog:
type: boolean
pubkey:
type: string
url:
type: string
type: object
secret:
properties:
name:
type: string
namespace:
type: string
required:
- name
- namespace
type: object
signatureAlgorithm:
default: sha256
type: string
type: object
repository:
type: string
signatureAlgorithm:
default: sha256
type: string
type: object
type: array
type: object
type: array
dryRun:
properties:
enable:
type: boolean
namespace:
type: string
type: object
ignoreFields:
items:
properties:
fields:
items:
type: string
type: array
objects:
items:
properties:
group:
type: string
kind:
type: string
name:
type: string
namespace:
type: string
version:
type: string
type: object
type: array
type: object
type: array
repository:
type: string
type: object
message:
type: string
pattern:
x-kubernetes-preserve-unknown-fields: true
podSecurity:
properties:
exclude:
items:
properties:
controlName:
enum:
- HostProcess
- Host Namespaces
- Privileged Containers
- Capabilities
- HostPath Volumes
- Host Ports
- AppArmor
- SELinux
- /proc Mount Type
- Seccomp
- Sysctls
- Volume Types
- Privilege Escalation
- Running as Non-root
- Running as Non-root user
type: string
images:
items:
type: string
type: array
restrictedField:
type: string
values:
items:
type: string
type: array
required:
- controlName
type: object
type: array
level:
enum:
- privileged
- baseline
- restricted
type: string
version:
enum:
- v1.19
- v1.20
- v1.21
- v1.22
- v1.23
- v1.24
- v1.25
- v1.26
- v1.27
- v1.28
- v1.29
- latest
type: string
type: object
type: object
verifyImages:
items:
properties:
additionalExtensions:
additionalProperties:
type: string
type: object
annotations:
additionalProperties:
type: string
type: object
attestations:
items:
properties:
attestors:
items:
properties:
count:
minimum: 1
type: integer
entries:
items:
properties:
annotations:
additionalProperties:
type: string
type: object
attestor:
x-kubernetes-preserve-unknown-fields: true
certificates:
properties:
cert:
type: string
certChain:
type: string
ctlog:
properties:
ignoreSCT:
type: boolean
pubkey:
type: string
tsaCertChain:
type: string
type: object
rekor:
properties:
ignoreTlog:
type: boolean
pubkey:
type: string
url:
type: string
type: object
type: object
keyless:
properties:
additionalExtensions:
additionalProperties:
type: string
type: object
ctlog:
properties:
ignoreSCT:
type: boolean
pubkey:
type: string
tsaCertChain:
type: string
type: object
issuer:
type: string
issuerRegExp:
type: string
rekor:
properties:
ignoreTlog:
type: boolean
pubkey:
type: string
url:
type: string
type: object
roots:
type: string
subject:
type: string
subjectRegExp:
type: string
type: object
keys:
properties:
ctlog:
properties:
ignoreSCT:
type: boolean
pubkey:
type: string
tsaCertChain:
type: string
type: object
kms:
type: string
publicKeys:
type: string
rekor:
properties:
ignoreTlog:
type: boolean
pubkey:
type: string
url:
type: string
type: object
secret:
properties:
name:
type: string
namespace:
type: string
required:
- name
- namespace
type: object
signatureAlgorithm:
default: sha256
type: string
type: object
repository:
type: string
signatureAlgorithm:
default: sha256
type: string
type: object
type: array
type: object
type: array
conditions:
items:
properties:
all:
items:
properties:
key:
x-kubernetes-preserve-unknown-fields: true
message:
type: string
operator:
enum:
- Equals
- NotEquals
- In
- AnyIn
- AllIn
- NotIn
- AnyNotIn
- AllNotIn
- GreaterThanOrEquals
- GreaterThan
- LessThanOrEquals
- LessThan
- DurationGreaterThanOrEquals
- DurationGreaterThan
- DurationLessThanOrEquals
- DurationLessThan
type: string
value:
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
any:
items:
properties:
key:
x-kubernetes-preserve-unknown-fields: true
message:
type: string
operator:
enum:
- Equals
- NotEquals
- In
- AnyIn
- AllIn
- NotIn
- AnyNotIn
- AllNotIn
- GreaterThanOrEquals
- GreaterThan
- LessThanOrEquals
- LessThan
- DurationGreaterThanOrEquals
- DurationGreaterThan
- DurationLessThanOrEquals
- DurationLessThan
type: string
value:
x-kubernetes-preserve-unknown-fields: true
type: object
type: array
type: object
type: array
name:
type: string
predicateType:
type: string
type:
type: string
type: object
type: array
attestors:
items:
properties:
count:
minimum: 1
type: integer
entries:
items:
properties:
annotations:
additionalProperties:
type: string
type: object
attestor:
x-kubernetes-preserve-unknown-fields: true
certificates:
properties:
cert:
type: string
certChain:
type: string
ctlog:
properties:
ignoreSCT:
type: boolean
pubkey:
type: string
tsaCertChain:
type: string
type: object
rekor:
properties:
ignoreTlog:
type: boolean
pubkey:
type: string
url:
type: string
type: object
type: object
keyless:
properties:
additionalExtensions:
additionalProperties:
type: string
type: object
ctlog:
properties:
ignoreSCT:
type: boolean
pubkey:
type: string
tsaCertChain:
type: string
type: object
issuer:
type: string
issuerRegExp:
type: string
rekor:
properties:
ignoreTlog:
type: boolean
pubkey:
type: string
url:
type: string
type: object
roots:
type: string
subject:
type: string
subjectRegExp:
type: string
type: object
keys:
properties:
ctlog:
properties:
ignoreSCT:
type: boolean
pubkey:
type: string
tsaCertChain:
type: string
type: object
kms:
type: string
publicKeys:
type: string
rekor:
properties:
ignoreTlog:
type: boolean
pubkey:
type: string
url:
type: string
type: object
secret:
properties:
name:
type: string
namespace:
type: string
required:
- name
- namespace
type: object
signatureAlgorithm:
default: sha256
type: string
type: object
repository:
type: string
signatureAlgorithm:
default: sha256
type: string
type: object
type: array
type: object
type: array
cosignOCI11:
type: boolean
failureAction:
enum:
- Audit
- Enforce
type: string
image:
type: string
imageReferences:
items:
type: string
type: array
imageRegistryCredentials:
properties:
allowInsecureRegistry:
type: boolean
providers:
items:
enum:
- default
- amazon
- azure
- google
- github
type: string
type: array
secrets:
items:
type: string
type: array
type: object
issuer:
type: string
key:
type: string
mutateDigest:
default: true
type: boolean
repository:
type: string
required:
default: true
type: boolean
roots:
type: string
skipImageReferences:
items:
type: string
type: array
subject:
type: string
type:
enum:
- Cosign
- SigstoreBundle
- Notary
type: string
useCache:
default: true
type: boolean
validate:
properties:
deny:
properties:
conditions:
x-kubernetes-preserve-unknown-fields: true
type: object
message:
type: string
type: object
verifyDigest:
default: true
type: boolean
type: object
type: array
required:
- match
- name
type: object
type: array
type: object
conditions:
items:
properties:
lastTransitionTime:
format: date-time
type: string
message:
maxLength: 32768
type: string
observedGeneration:
format: int64
minimum: 0
type: integer
reason:
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
enum:
- "True"
- "False"
- Unknown
type: string
type:
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
ready:
type: boolean
rulecount:
properties:
generate:
type: integer
mutate:
type: integer
validate:
type: integer
verifyimages:
type: integer
required:
- generate
- mutate
- validate
- verifyimages
type: object
validatingadmissionpolicy:
properties:
generated:
type: boolean
message:
type: string
required:
- generated
- message
type: object
type: object
required:
- spec
type: object
served: true
storage: false
subresources:
status: {}
Reference in New Issue View Git Blame Copy Permalink